Admins beware! Microsoft gives heads-up for 'disruptive' changes to authentication in Office 365 email service

Microsoft has doled out more details on forthcoming changes to the way mail clients authenticate to Exchange Online, the email service used by Office 365.

In March 2018, Microsoft said that it would require Modern Authentication for Office 365 services including Exchange Online, and that this would be enforced from 13 October 2020. Microsoft referenced a 2017 statement that from this date, "Office 365 ProPlus or Office perpetual in mainstream support will be required to connect to Office 365 services."

Modern Authentication means OAuth 2.0, where applications request access tokens from Azure Active Directory rather than using username and password to connect. This enables multi-factor authentication, conditional access policies and other security features.

In September 2019, Microsoft stated that from the October date, it would be "turning off Basic Authentication in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP and Remote PowerShell". The only service for which basic authentication will still be supported is SMTP (used for sending email) because of its use by "a huge number of devices and appliances".

Now Microsoft has posted a further update. Although Exchange Online already supports modern authentication, this does not yet apply to the POP and IMAP services used by generic email clients. Microsoft said it is "rolling out Modern Auth support for POP and IMAP in Exchange Online now".

It is worth noting that while in one sense Microsoft gave plenty of notice, it is not allowing much time for admins to test and deploy changes that it is only now getting around to making available. The situation with PowerShell, used for scripting Office 365 admin tasks, is even worse.

"We're still working hard on the code," said Microsoft, "and will have more to say on this in the next couple of months."

The issue, particularly in the case of email, is that not all email clients support modern authentication. Appliances like scanners and copiers are the worst, though mostly these send rather than receive email so can still use SMTP. "If you do have devices polling for mail, and the vendor has long gone or can't update the devices to support Modern Auth for POP and IMAP, then we're sorry… but they will hit issues," said Microsoft, adding that "these devices are often a weak link in your security chain … they have credentials stored on them, no one ever changes the password."

Older versions of Outlook for Windows and Mac are affected. Outlook 2013 can use modern authentication but requires a registry change. Outlook for Mac got the feature in a 2016 update.

The Android mail app is also an issue. "The elephant in the room here is that disabling Basic Authentication for Exchange ActiveSync will break almost every Android phone connecting to Office 365 that is using the native Mail app – with the exception of Samsung devices, which support modern authentication," one user commented.

Microsoft said: "We're strongly recommending you switch to Outlook for iOS and Android in favour of the native apps. There are many security and business benefits over native apps when connecting to Exchange Online."

Another factor is that Office 365 tenants created before August 2017 have modern authentication disabled for some services including Exchange. Admins need to enable it via a PowerShell command.

In order to assist admins with a change that "can be disruptive", Microsoft has an updated Azure AD sign-in report – provided that you have a premium version of Azure AD. Even if you have an enterprise Office 365 tenancy, such as E3, you cannot get the report without spending a bit more*. Once you get in, you can view sign-ins and filter them to show which connections, if any, are using basic authentication.

Microsoft is right. Basic authentication can be a security vulnerability, and having Office 365 credentials stuffed into photocopiers and the like, often behind default passwords to access the settings, is a terrible idea. In small businesses we have even seen global admin credentials there. Disabling basic authentication will improve security, for this and other scenarios.

There is stuff that will break, though, and the company is late in getting all of its services ready. ®

* Updated at 0900 on 27 February to add:

Microsoft has been in touch to say it is "rolling out a change very soon to make it available to all customers."