The Legacy Auth Exclusion Group Nobody Prunes
A Conditional Access exclusion group created during the Basic Auth migration keeps growing long after the cutover finished, and every account inside it authenticates via IMAP, POP or SMTP AUTH with no MFA claim attached. Identity Protection never logs these sign-ins as blocked legacy auth, because the policy excludes them from evaluation entirely rather than denying access.
At a glance
- Unsafe setting
- A Conditional Access legacy-auth-block policy excludes a directory group whose membership was never given an expiry or review cadence.
- Failure trigger
- Accounts added to the exemption group during the Basic Auth migration remain there permanently, authenticating via IMAP, POP or SMTP AUTH with no MFA claim.
- Blast radius
- Excluded accounts can be password-sprayed via legacy protocols with zero MFA challenge, and Identity Protection never logs the sign-ins as blocked because they were excluded, not denied.
- Recommended control
- Replace the standing CA exclusion group with per-mailbox Exchange Online Authentication Policies and a recurring Access Review, backed by an independent risk-based CA block policy.
Fix commands and configuration
New-AuthenticationPolicy -Name "LegacyAuthAllowed"Set-CASMailbox -Identity <mailbox> -AuthenticationPolicy "LegacyAuthAllowed"The Trap
A Conditional Access policy blocking legacy authentication protocols (Exchange ActiveSync clients and Other clients under the Client apps condition) is scoped to “All users” minus a group such as “Legacy-Auth-Exempt.” That group was created during the Exchange Online Basic Auth deprecation rollout to temporarily hold scanners, SMTP relays, shared mailboxes and line-of-business accounts that hadn’t yet migrated to modern auth. It was never given an expiry, an owner, or a review cadence.
The Default State
Microsoft’s own migration guidance for the 2022 Basic Auth deprecation recommended exactly this pattern: stand up a temporary exclusion group, add anything that throws an authentication error, fix it later. Azure AD groups have no native TTL on membership, and nothing in the Conditional Access UI warns that an exclusion group has stopped shrinking. Admins add accounts under deadline pressure and move on; nobody removes them once the underlying device or mailbox is fixed, because there’s no alert tied to group growth.
The Blast Radius
Every account inside that group authenticates using protocols that carry credentials in plaintext-equivalent form on every request, with no MFA challenge possible. Because the policy excludes them from evaluation rather than blocking and logging the attempt, Identity Protection’s “blocked legacy authentication” signal never fires for them — the sign-ins look like ordinary successful authentications under a policy that simply doesn’t apply. A password-spray run against IMAP or SMTP AUTH on an exempted shared mailbox succeeds silently, with no MFA friction and no risk detection tied to the client-apps condition. The compromised mailbox becomes a mail-exfiltration channel or an internal phishing launchpad, and SOC dashboards built around “legacy auth blocked” counters show nothing wrong, because the traffic was never subject to the block in the first place.
The Lead Mechanic Fix
Stop using a standing CA exclusion group as the exemption mechanism. Move per-mailbox exceptions to Exchange Online Authentication Policies instead: New-AuthenticationPolicy -Name "LegacyAuthAllowed" then Set-CASMailbox -Identity <mailbox> -AuthenticationPolicy "LegacyAuthAllowed", scoping legacy protocol access to named mailboxes rather than a growing directory group. For anything still routed through the CA exclusion group, attach an Access Review with a 30-day recurrence and auto-remove on no attestation via Entra ID Governance, and add a second, independent CA policy — “Sign-in risk ≥ Medium → Block” — scoped to all users including the exempt group, since risk-based Identity Protection evaluation runs separately from the client-apps condition and still catches anomalous legacy sign-ins the exclusion would otherwise hide.