The case of the... In this category I publish blog post explaining a problem and the solution but more important the analysis that lead to the root cause. The name is a homage to “The Case of the Unexplained” from Mark Russinovich. The error Quote Trust of the root CA is best established by deploying a trusted certificate profile to the same group that receives the SCEP certificate profile. […] To use a SCEP certificate profile, a device must have also received the trusted certificate profile that provisions it with your Trusted Root CA certificate.

Blog series This is part three of the six-part series on “Phase out Legacy Authentication”. Preface Enable Modern Authentication Create prerequisites Gain insights The first 90% The next 9% Endgame Recap The first three parts of the series set the stage (1/2) for the deactivation and used Entra ID (Azure AD) workbooks and Kusto queries to identify the first usergroup. Add AAD group members To go straight ahead, the Entra ID (Azure AD) group CAPolicy-Include-Block-Legacy-Authentication must be populated with the users from the last query.

Blog series This is part three of the six-part series on “Phase out Legacy Authentication”. Preface Enable Modern Authentication Create prerequisites Gain insights The first 90% The next 9% Endgame Recap In the first part, Modern Authentication was enabled and in the second part, the prerequisites were created to create detailed reports and to disable Legacy Authentication for individual users. Conditional Access policy logic To better understand how it is possible to block individual users, let’s take a look at the Conditional Access Policies created and the login associated with them.

Blog series This is part three of the six-part series on “Phase out Legacy Authentication”. Preface Enable Modern Authentication Create prerequisites Gain insights The first 90% The next 9% Endgame Recap In the first part of the series, Modern Authentication was enabled for all Microsoft 365 services and can now be used. This part is about creating the prerequisites to gain a detailed insight into the usage of the different authentication methods and to make it possible to disable legacy authentication per user.

Blog series This is part two of the six-part series on “Phase out Legacy Authentication”. Preface Enable Modern Authentication Create prerequisites Gain insights The first 90% The next 9% Endgame Enable Modern Authentication This step may seem strange, but in old tenants (created before 01.08.2017) Modern Authentication for Exchange Online and Skype for Business Online is not necessarily enabled. Exchange Online For Exchange Online, the Exchange Online PowerShell V2 module must be installed to enable Modern Authentication.

In an Azure AD environment, legacy authentication is the Achilles heel of security. While modern clients take into account conditional access policies and multifactor authentication, the use of legacy clients and associated protocols such as SMTP, IMAP or Exchange ActiveSync creates an often overlooked gap in this protection. Since these protocols are not compatible with Conditional Access, they “bypass” the protection unless explicitly defined. This is not a security hole on Microsofts part, but a design decision and the impact on your own environment should therefore be well understood.