Azure AD conditional Access with Office apps

#1

I’ve set up a trial of Duo with the intention of enabling MFA for Office 365.
We primarily use Outlook, but some users also access via OWA.

I am not linking Duo to an on-prem AD.
I have enabled Duo with conditional access in Azure AD, currently for 1 test user. using the supplied JSON script, ticking the following cloud apps: Email, Office 365, Exchange online, Sharepoint online
and the following conditions: client apps -> all ticked (except apply policy only to supported platforms - which I left unticked)

When attempting to access via the Office 365 portal it prompts for MFA correctly.
However, I can install Office on a test PC using the account and it lets me in to Outlook without any MFA prompt!

Have I missed something here ?

Thanks…

0 Likes

#2

Have you tried using the “What if?” tool in Conditional Access to make sure you’re hitting the right policy?

0 Likes

#3

yes, no matter what combination I try it always reaches the require duo mfa policy.
but Oulook (v 1903 / feb 2019), android mail app, iphone mail app, google mail app - all still allow authentication with just the basic credentials

0 Likes

#4

Do you have Modern Authentication enabled for your Office 365 tenant?

0 Likes

#5

That’s a good question. Just realised we don’t. I will look at enabling.
However, enabling modern-auth in the tennant does not prevent clients continuing to use basic auth.

My point is that a potential attacker could gain access posing as an outlook client bypassing MFA.

the conditional access should prevent such logins given that I have it set in the conditional access to force MFA (duo) on all client apps and cloud apps. yet it is only impacting cloud apps.

0 Likes

#6

pgp - your answer led me to the solution.
For anyone experiencing the same issue:

  1. enable modern auth in the tennant
    https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online

  2. set up conditional access policies to force MFA on specific users

  3. disable basic auth (also done via conditional policy - set to block)
    https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-AD-Conditional-Access-support-for-blocking-legacy-auth-is/ba-p/245417

0 Likes