How to Fix Conditional Access policy does not allow legacy authentication

What this error means

A Conditional Access policy is blocking sign-in because the client is using legacy/basic authentication, which Microsoft considers insecure.

Why this happens

An app or script is using legacy auth protocols (IMAP, POP, MAPI, or older Office clients) that don't support modern auth tokens.

Quick fix (for end users)

• Update the affected app to its latest version — most modern apps support modern auth.
• If using IMAP/POP, switch to a client that supports OAuth2.

Admin / engineer fix

• Identify the legacy app via Sign-in logs in Entra → filter by Client app = 'Other clients'.

• If the app is mission-critical and can't be upgraded, create a narrowly-scoped exception in Conditional Access — never disable the policy globally.

• For service accounts that need IMAP, enable OAuth2 IMAP and use a modern auth library.

Step-by-step fix

1. 1

   Find the legacy app from Sign-in logs.

2. 2

   Upgrade to a modern-auth version, or create a scoped exception.

3. 3

   Retry sign-in.

Common variations of this error

People also see these phrasings of the same problem:

• Legacy auth blocked
• Basic auth blocked Conditional Access

Still broken? Try these

• Some scripts use Send-MailMessage or older SMTP libraries — replace with Microsoft Graph or Send Mail via Graph API.
• Confirm the user account isn't accidentally inside an exception group.

Related errors

• Entra ID
  AADSTS53003: Access has been blocked by Conditional Access policies
• Entra ID
  AADSTS7000215: Invalid client secret provided

Related searches

• block legacy authentication entra
• modern auth imap

Frequently asked questions