Block apps that do not use modern authentication (ADAL)
App-based conditional access with app protection policies rely on applications using modern authentication, which is an implementation of OAuth2. Most current Office mobile and desktop applications use modern authentication. However, there are third-party apps and older Office apps that user other authentication methods, like basic authentication, and forms-based authentication.
To block access to these apps, we recommend the following methods:
- Set up ADFS claims rules to block non-modern authentication protocols. Detailed instructions are provided in scenario 3 - block all access to O365 except browser-based applications.
- For Exchange and SharePoint Online, use Azure Active Directory Conditional Access and use the PowerShell commandlet Set-SPOTenant for SharePoint online. For detailed instructions, see Set up SharePoint Online and Exchange Online for Azure Active Directory conditional access.
App-based CA must not be used with Azure Active Directory (Azure AD) certificate-based authentication. You can only have one of these configured at a time.