Azure AD conditional Access with Office apps


I’ve set up a trial of Duo with the intention of enabling MFA for Office 365.
We primarily use Outlook, but some users also access via OWA.

I am not linking Duo to an on-prem AD.
I have enabled Duo with conditional access in Azure AD, currently for 1 test user. using the supplied JSON script, ticking the following cloud apps: Email, Office 365, Exchange online, Sharepoint online
and the following conditions: client apps -> all ticked (except apply policy only to supported platforms - which I left unticked)

When attempting to access via the Office 365 portal it prompts for MFA correctly.
However, I can install Office on a test PC using the account and it lets me in to Outlook without any MFA prompt!

Have I missed something here ?




Have you tried using the “What if?” tool in Conditional Access to make sure you’re hitting the right policy?



yes, no matter what combination I try it always reaches the require duo mfa policy.
but Oulook (v 1903 / feb 2019), android mail app, iphone mail app, google mail app - all still allow authentication with just the basic credentials



Do you have Modern Authentication enabled for your Office 365 tenant?



That’s a good question. Just realised we don’t. I will look at enabling.
However, enabling modern-auth in the tennant does not prevent clients continuing to use basic auth.

My point is that a potential attacker could gain access posing as an outlook client bypassing MFA.

the conditional access should prevent such logins given that I have it set in the conditional access to force MFA (duo) on all client apps and cloud apps. yet it is only impacting cloud apps.



pgp - your answer led me to the solution.
For anyone experiencing the same issue:

  1. enable modern auth in the tennant

  2. set up conditional access policies to force MFA on specific users

  3. disable basic auth (also done via conditional policy - set to block)