How to block legacy authentication in Azure AD Premium Conditional Access

Azure AD Premium’s Conditional Access feature requires Modern Authentication to function properly. This has led some to believe that legacy clients (ex: Outlook 2010 and older, or Activesync) can bypass Conditional Access Policies.

Based on my testing, this is only half true, as it depends upon the policy that you select. If you select a ‘Grant’ policy then the legacy clients will not be able to bypass your conditional access policy. However, if you select a Block policy, then the legacy clients will bypass it and connect to the service that you want to block.

So the most conservative thing to do is to use a Grant Policy, not a Block policy.