Skip to main content
KBY Technologies Logo
cd ../config-traps
risk/register/the-legacy-auth-exclusion-group-nobody-prunes.html
Azure AD Conditional Accesshigh severityMicrosoft Entra ID

The Legacy Auth Exclusion Group Nobody Prunes

Overview

A Conditional Access exclusion group created during the Basic Auth migration keeps growing long after the cutover finished, and every account inside it authenticates via IMAP, POP or SMTP AUTH with no MFA claim attached. Identity Protection never logs these sign-ins as blocked legacy auth, because the policy excludes them from evaluation entirely rather than denying access.

At a glance

Unsafe setting
A Conditional Access legacy-auth-block policy excludes a directory group whose membership was never given an expiry or review cadence.
Failure trigger
Accounts added to the exemption group during the Basic Auth migration remain there permanently, authenticating via IMAP, POP or SMTP AUTH with no MFA claim.
Blast radius
Excluded accounts can be password-sprayed via legacy protocols with zero MFA challenge, and Identity Protection never logs the sign-ins as blocked because they were excluded, not denied.
Recommended control
Replace the standing CA exclusion group with per-mailbox Exchange Online Authentication Policies and a recurring Access Review, backed by an independent risk-based CA block policy.

Fix commands and configuration

New-AuthenticationPolicy -Name "LegacyAuthAllowed"
Set-CASMailbox -Identity <mailbox> -AuthenticationPolicy "LegacyAuthAllowed"

The Trap

A Conditional Access policy blocking legacy authentication protocols (Exchange ActiveSync clients and Other clients under the Client apps condition) is scoped to “All users” minus a group such as “Legacy-Auth-Exempt.” That group was created during the Exchange Online Basic Auth deprecation rollout to temporarily hold scanners, SMTP relays, shared mailboxes and line-of-business accounts that hadn’t yet migrated to modern auth. It was never given an expiry, an owner, or a review cadence.

The Default State

Microsoft’s own migration guidance for the 2022 Basic Auth deprecation recommended exactly this pattern: stand up a temporary exclusion group, add anything that throws an authentication error, fix it later. Azure AD groups have no native TTL on membership, and nothing in the Conditional Access UI warns that an exclusion group has stopped shrinking. Admins add accounts under deadline pressure and move on; nobody removes them once the underlying device or mailbox is fixed, because there’s no alert tied to group growth.

The Blast Radius

Every account inside that group authenticates using protocols that carry credentials in plaintext-equivalent form on every request, with no MFA challenge possible. Because the policy excludes them from evaluation rather than blocking and logging the attempt, Identity Protection’s “blocked legacy authentication” signal never fires for them — the sign-ins look like ordinary successful authentications under a policy that simply doesn’t apply. A password-spray run against IMAP or SMTP AUTH on an exempted shared mailbox succeeds silently, with no MFA friction and no risk detection tied to the client-apps condition. The compromised mailbox becomes a mail-exfiltration channel or an internal phishing launchpad, and SOC dashboards built around “legacy auth blocked” counters show nothing wrong, because the traffic was never subject to the block in the first place.

The Lead Mechanic Fix

Stop using a standing CA exclusion group as the exemption mechanism. Move per-mailbox exceptions to Exchange Online Authentication Policies instead: New-AuthenticationPolicy -Name "LegacyAuthAllowed" then Set-CASMailbox -Identity <mailbox> -AuthenticationPolicy "LegacyAuthAllowed", scoping legacy protocol access to named mailboxes rather than a growing directory group. For anything still routed through the CA exclusion group, attach an Access Review with a 30-day recurrence and auto-remove on no attestation via Entra ID Governance, and add a second, independent CA policy — “Sign-in risk ≥ Medium → Block” — scoped to all users including the exempt group, since risk-based Identity Protection evaluation runs separately from the client-apps condition and still catches anomalous legacy sign-ins the exclusion would otherwise hide.