Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
ok thank you
Conditional access policy - block legacy authentication
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 69%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYR%3C/text%3E%3C/svg%3E)
Yatheesh R/GF INJECTABLE PRODUCTION/BIOSPHERE
0
Reputation points
Conditional access policy - block legacy authentication
I have configured the block legacy authentication policy for a customer and what to verify it. How can I check if this policy is working or not. Can someone please help on this, with the steps to check this or any steps which would generate some logs to…
Microsoft Security | Microsoft Entra | Microsoft Entra ID
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 10%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Shubham Sharma 17,675 Reputation points Microsoft External Staff Moderator2026-06-18T07:59:37.1933333+00:00 Hi Yatheesh R/GF INJECTABLE PRODUCTION/BIOSPHERE,
To verify if your Conditional Access policy to block legacy authentication is working, you can follow these steps:
1. Use Sign-in Logs in Microsoft Entra Admin Center
- Go to the Microsoft Entra admin center: https://entra.microsoft.com
- Navigate to Identity > Monitoring & health > Sign-in logs.
- In the sign-in logs, filter for Client app and select Legacy Authentication Clients (such as IMAP, POP, SMTP, etc.).
- Attempt a sign-in using a legacy authentication protocol (from a test account, if possible).
- Check the result in the logs:
- If the policy is working, you should see the sign-in attempt blocked due to the Conditional Access policy.
- The "Conditional Access" column will indicate the policy applied and the result.
2. Review Conditional Access Insights and Reporting
- In the Conditional Access section, use the Insights and reporting blade to review which policies have been applied to recent sign-ins.
- This can help you confirm that your "Block legacy authentication" policy is being enforced.
3. Audit Logs
- You can also check the Audit logs for policy changes and enforcement actions.
4. Additional References
- Block legacy authentication in Azure AD
- Sign-in logs in Microsoft Entra ID
- Conditional Access insights and reporting
Tip: Make sure you test with an account that is targeted by the policy and using a legacy authentication protocol. If you don’t see any blocked attempts, ensure that legacy authentication is still being used in your environment, as modern authentication clients won’t be affected.
Sign in to comment
2 answers
Sort by: Most helpful
-
Yatheesh R/GF INJECTABLE PRODUCTION/BIOSPHERE 0 Reputation points
2026-06-18T07:47:19.53+00:00 -
AI answer
2026-06-18T07:46:09.0266667+00:00 Use the sign-in logs and the policy’s report-only data to verify that the “Block legacy authentication” Conditional Access policy is working.
- Confirm where legacy auth is in use
- Sign in to the Microsoft Entra admin center as at least a Reports Reader.
- Go to Entra ID → Monitoring & health → Sign-in logs.
- Select Columns → ensure Client App is selected.
- Select Add filters → Client App → choose all legacy authentication protocols → Apply.
- Repeat step 4 on the User sign-ins (non-interactive) tab.
- Review the results to see which users/apps are attempting legacy authentication.
- Verify the Conditional Access policy in report-only mode
- In Entra admin center, go to Entra ID → Conditional Access → Policies.
- Open the “Block legacy authentication” policy.
- Ensure Assignments → Users or workload identities and Target resources match the intended scope.
- Under Conditions → Client apps, confirm only Exchange ActiveSync clients and Other clients are selected.
- Set Enable policy to Report-only if not already.
- Have a test account (in scope of the policy) attempt to sign in using a legacy client/protocol that previously showed up in the sign-in logs.
- Return to Sign-in logs, filter by that test user, and check the Conditional Access tab on the sign-in details:
- Confirm the “Block legacy authentication” policy is Applied and the result shows it would Block access.
- Verify enforcement (policy set to On)
After confirming the policy impact in report-only mode:
- Edit the policy and change Enable policy from Report-only to On.
- Repeat the legacy auth sign-in test with the same test account.
- In Sign-in logs, verify:
- The sign-in is failed/blocked.
- The Conditional Access tab shows the “Block legacy authentication” policy as Applied with Grant: Block access.
- Ongoing monitoring
- Continue to use the Client App filter in sign-in logs to ensure legacy auth attempts are being blocked and to identify any remaining accounts or apps that still try to use legacy protocols.
- Optionally, use the Sign-ins using legacy authentication workbook to triage legacy authentication usage across the tenant.
References:
AI-generated content may be incorrect. Read our transparency notes for more information. - Confirm where legacy auth is in use