AZ-004 Microsoft Azure

Legacy/basic authentication is blocked.

Legacy/basic authentication is blocked.

Domain
Microsoft Azure
Area
Entra ID / IAM
Automated / manual
Manual

Risk if it fails

Legacy protocols bypass MFA.

Old email protocols ignore MFA entirely. Attackers deliberately use them to log in with just a stolen password, sidestepping your strongest defence.

How Tess tests it

1 test — each concludes only on cited evidence.

Legacy/basic authentication is blocked.

Manual
Procedure
Confirm Conditional Access blocks legacy auth (or it is disabled tenant-wide).

Read-only command 

Manual — Entra ID > Conditional Access; verify a policy blocks legacy authentication clients.

More in Microsoft Azure

AZ-001 MFA is enforced for all users, especially privileged roles. AZ-002 Number of Global Administrators is limited (typically 2-4). AZ-003 Privileged Identity Management (PIM) provides just-in-time elevation. AZ-005 Guest user access and invitations are restricted.

Want Tess to test AZ-004 against your evidence?

Book a demo