Azure Active Directory Conditional Access: Block Legacy Authentication Can Break Microsoft Office 365 Provisioning Feature in Okta
Last Updated:
Overview
When trying to perform Test API Credentials with the Microsoft Office 365 app, the provisioning feature is returning:
Could not communicate with Office 365 to validate your credentials, received error: 400 Authentication Error: Bad username or password.
Azure Active Directory Authentication and Authorization error code:
AADSTS53003: BlockedByConditionalAccess - Access has been blocked by Conditional Access policies. The access policy does not allow token issuance
Applies To
- Microsoft Office 365
- AAD Conditional Access
- Legacy Authentication
- Okta Classic Engine
Cause
Conditional Access: Block legacy authentication was enabled by default
NOTE: If the Azure Active Directory tenant was created on or after October 22, 2019, it is possible to experience the new secure-by-default behavior and already have security defaults enabled in the tenant. In an effort to protect all of our users, security defaults are being rolled out to all new tenants created.
Solution
Option 1: Disable Baseline policy: Block legacy authentication.
Option 2: Exclude the Microsoft Office 365 Global administrator account used in the federation in Okta.
- Sign in to the Azure portal as a global administrator, security administrator, or conditional access administrator.
- In the Azure portal, on the left navbar, click Azure Active Directory.
- On the Azure Active Directory page, in the Security section, click Conditional access.
- In the list of policies, click a policy that starts with the Baseline policy: Block legacy authentication.
- To exclude the administrator account, select Exclude users.
- Click Save.
