A company's security team discovers that several recent account compromises originated from attackers using legacy mail protocols (POP3, IMAP) which do not support multi-factor authentication. The team wants to immediately prevent any sign-in attempts using these protocols. Which Microsoft Entra ID feature should they configure to enforce this restriction?
Conditional Access policies allow administrators to block legacy authentication by targeting client apps that use legacy protocols. This is the correct feature to enforce the restriction.
Why this answer
Conditional Access in Microsoft Entra ID allows administrators to create policies that control access based on conditions such as client apps. By configuring a policy to block authentication requests from legacy authentication protocols (POP3, IMAP, SMTP, etc.), the security team can immediately prevent sign-in attempts that do not support multi-factor authentication, effectively mitigating the risk of account compromise via these outdated protocols.
Exam trap
The trap here is that candidates often confuse Identity Protection's risk-based policies with the ability to block legacy protocols, but Identity Protection only triggers MFA or block based on risk scores, not on the protocol type itself.
How to eliminate wrong answers
Option B (Identity Protection) is wrong because Identity Protection is a risk-based detection and remediation tool that identifies suspicious sign-ins and user risks, but it does not directly block specific authentication protocols like POP3 or IMAP. Option C (Privileged Identity Management (PIM)) is wrong because PIM is designed for just-in-time privileged role activation and access governance, not for controlling which authentication protocols can be used. Option D (Microsoft Entra Password Protection) is wrong because it enforces password policies (e.g., banning weak passwords) but does not block legacy authentication protocols or require MFA.