This is a part of a question set containing 2 questions: 
You are responsible for the Office 365 security in your organization. You want to block legacy authentication to Azure AD as these protocols do not support MFA. You have identified the usage of apps that use legacy authentication. You must now create a conditional access policy to block legacy authentication sign-in attempts. 
What should you configure to complete this policy? 

Answer options:

A.Conditions
B.Session
C.Cloud apps or actions
D.Leave it as it is, the policy will block legacy authentication without any further changes.

Correct Answer: A 
What is missing in this policy is the Conditions to control user access to target client applications to not use modern authentication. 
Under Conditions select Client Apps – Set configure to Yes – check the boxes “Exchange ActiveSync Clients” and “Other Clients” under Legacy authentication clients 

Option B is incorrect. The Session control lets you control user access based on session controls to enable limited experiences within specific cloud applications.
Option C is incorrect. Cloud apps or actions lets you control user access based on all or specific cloud apps or actions. All cloud apps have already been selected in this policy.
Option D is incorrect. You need to configure the Conditions control to target legacy authentication clients. 
Reference:
To know more about blocking legacy authentication, please refer to the link below: 

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication