Hello
My company are in the process of implementing VBO atm. and we have also stumbled upon the need for the SPO legacy protocol to be enabled.
We talked to our contacts at Veeam about and they gave us the solution mentioned in this forum thread.
We then decided to dig deep into the solution to see if was okay to implement (We are currently using CA).
I talked to a colleague of mine who is a Microsoft MVP in Enterprise mobility and asked him to look at the solution provided.
He then got back to me and told me - short version: "You cannot use CA to prevent the use of the legacy protocol, because the legacy protocol cannot handle CA enforcement. CA is a top-level security measure and when you enabled the legacy protocol in SPO, you can then bypass CA with just username & password"
My first response was, are you sure? - He then went a little further and ask a couple of other MVPs with in-depth knowledge of CA policy's and 3 of them told him that he was right in was he told me. One other MVP was not, and said the exact opposite.
He then went on to ask a Microsoft employee that works in the Intune team and he then confirm what the 3 other MVPs has told him.
We have now reached out to our contacts at Microsoft to get an answer on the question "Its's safe to enable the legacy protocol in SPO and then use CA to protect it" - We currently still waiting on the answer.
This is from a blog post regarding this topic:
Some cloud apps also support legacy authentication protocols. This applies, for example, to SharePoint Online and Exchange Online. When a client app can use a legacy authentication protocol to access a cloud app, Azure AD cannot enforce a conditional access policy on this access attempt. To prevent a client app from bypassing the enforcement of policies, you should check whether it is possible to only enable modern authentication on the affected cloud apps.
- This is taken from a Microsoft MVP (Enterprise mobility) -
https://alberthoitingh.com/2018/04/26/m ... on-beware/ -
His source is:
https://docs.microsoft.com/en-us/azure/ ... -practices
And that is basically confirms what we have been told so fare.
So, my question to you guys that have enabled the legacy protocol in SPO and are using CA to protect it. Do you have any confirmation from an official source that it's absolutely 100% safe? and it's not lowering your security standard?