Block apps that do not use modern authentication (ADAL)

App-based conditional access with app protection policies rely on applications using modern authentication which is an implementation of OAuth2. Most current Office mobile and desktop applications use modern authentication, however there are third-party apps and older Office apps that user other authentication methods like basic authentication and forms-based authentication.

To block access to these apps, we recommend the following:

  • Set up ADFS claims rules to block non-modern authentication protocols. Detailed instructions are provided in scenario 3 - block all access to O365 except browser-based applications.
  • For SharePoint Online, disable non-modern authentication in the SharePoint Online service using the PowerShell commandlet Set-SPOTenant to set the legacy authentication protocols property to false:
 Set-SPOTenant -LegacyAuthProtocolsEnabled $false


App-based CA must not be used with Azure Active Directory (Azure AD) certificate-based authentication. You can only have one of these configured at a time.

See also

App-based conditional access with Intune