Tenant Configuration

After completing federation and provisioning, there are a few recommended configurations in your Microsoft Entra ID tenant to ensure the best experience with BlokSec passwordless authentication.

Block legacy authentication

This is the most important tenant configuration for a passwordless deployment. Legacy authentication protocols (SMTP basic auth, POP, IMAP, Exchange ActiveSync) bypass browser-based sign-in entirely — they send usernames and passwords directly to the identity provider. Since BlokSec is passwordless and doesn’t validate passwords, these legacy requests will always fail.

Blocking legacy authentication:

• Prevents confusing authentication failures for users on old email clients
• Eliminates a significant security risk (credentials sent in plain text)
• Aligns with Microsoft’s own security baseline recommendations

Microsoft is deprecating legacy auth

Microsoft is actively removing support for legacy authentication. Basic auth for SMTP (the last remaining protocol) begins being rejected on April 30, 2026 and will be fully disabled by end of 2026. Blocking it now gets ahead of a change that will soon be mandatory.

Create the Conditional Access policy

1. Sign in to the Microsoft Entra admin center (https://entra.microsoft.com)
2. Go to Protection > Conditional Access > Policies
3. Click New policy
4. Name it something descriptive like “Block legacy authentication”

Screenshot pending

/screenshots/admin/integrations/microsoft-365/tenant-ca-policy-name.png

New Conditional Access policy with the name 'Block legacy authentication'

Create a new Conditional Access policy

Configure assignments

Under Users, select All users. If you have a break-glass emergency access account, add it as an exclusion.

Under Target resources, select All cloud apps.

Screenshot pending

/screenshots/admin/integrations/microsoft-365/tenant-ca-assignments.png

Conditional Access policy assignments showing all users and all cloud apps

Target all users and all cloud apps

Configure conditions

Under Conditions > Client apps, check:

• Exchange ActiveSync clients
• Other clients

Leave all other client app types unchecked (Browser and Mobile apps and desktop clients should remain unchecked — these use modern authentication and work with BlokSec).

Screenshot pending

/screenshots/admin/integrations/microsoft-365/tenant-ca-client-apps.png

Client apps condition with Exchange ActiveSync clients and Other clients checked

Target legacy authentication client apps only

Configure access controls

Under Grant, select Block access.

Screenshot pending

/screenshots/admin/integrations/microsoft-365/tenant-ca-block.png

Grant access control set to Block access

Block access for legacy authentication

Enable the policy

Start with Report-only

Set the policy to Report-only first. This lets you see which users would be affected in the sign-in logs without actually blocking anyone. Review the logs for a few days, then switch to On once you’re confident no critical workflows depend on legacy auth.

To review the impact in Report-only mode:

1. Go to Identity > Monitoring & health > Sign-in logs
2. Filter by Conditional Access > Report-only: Failure
3. Look for users who would have been blocked — these are users whose clients are using legacy authentication

Once you’re satisfied, edit the policy and change it from Report-only to On.

Screenshot pending

/screenshots/admin/integrations/microsoft-365/tenant-ca-enable.png

Policy enable toggle showing Report-only and On options

Start with Report-only, then switch to On

MFA behavior for federated domains

BlokSec performs multi-factor authentication as part of the passwordless flow (device biometrics + the approved device itself). You should configure your tenant to accept MFA performed by BlokSec rather than requiring Microsoft’s own MFA on top:

1. In the Entra admin center, go to Identity > External Identities > All identity providers
2. Find your federated domain and open its settings
3. Set Federated IdP MFA behavior to Accept MFA done by federated IdP

This is typically configured automatically by the BlokSec federation wizard (the federatedIdpMfaBehavior: acceptIfMfaDoneByFederatedIdp setting), but it’s worth verifying.

Note

If your organization requires Microsoft Entra MFA in addition to BlokSec authentication (for certain Conditional Access policies, for example), set this to Enforce MFA by federated IdP instead. This tells Entra ID to redirect back to BlokSec for MFA when required.

Session and token lifetime

Microsoft 365 has its own session lifetime policies that work alongside BlokSec’s session duration:

• BlokSec session duration — How long the user’s authentication with BlokSec is valid (configured in the application settings)
• Microsoft token lifetime — How long the M365 access/refresh tokens are valid

For the smoothest user experience, set the BlokSec session duration to be equal to or longer than your Microsoft token lifetime. This prevents users from being asked to re-authenticate with BlokSec before their M365 session has expired.

The default BlokSec session duration of 8 hours works well with Microsoft’s default token lifetimes.

Verify the configuration

After completing all the tenant configuration steps, verify the end-to-end flow:

1. Open a private/incognito browser window
2. Go to https://portal.office.com
3. Sign in with a federated user’s email address
4. You should be redirected to BlokSec’s sign-in page
5. Approve the sign-in on the user’s phone
6. You should be signed in to Microsoft 365 without entering a password

Test with a few different applications (Outlook web, Teams web, SharePoint) to confirm everything works as expected.