IBM Security MaaS360

 View Only

Microsoft Basic auth and Modern auth: what's the deal?

By Eamonn O'Mahony posted Thu July 28, 2022 06:33 AM

  

Hi all

Just to let you know that Microsoft will soon stop supporting Basic Authentication, which is a way of logging on to your mail when using a mail client. Anyone connecting to Exchange Online or Office365 mail account will need to have an updated way of authenticating, using Microsoft’s Modern authentication.

While this change is officially planned for 1st October 2022, we understand that MSFT have already begun switching off Basic Auth for a number of their customers. This means that some of our customers are already reporting that they can’t log on to their mobile mail.

 

Background

Basic Authentication is an older version of the password exchange for Microsoft platforms, and a less secure mechanism.  It is being replaced with the Microsoft implementation of Modern Authentication (OAuth), which is the newer and more secure version of authentication to Microsoft platforms.

  • Our Secure Mobile mail client can already support Modern Authentication, so customers just need to reconfigure their Workplace policy.
  • For other mail clients it will be necessary to modify the device policy, on the ActiveSync settings page.
  • On the platform side, there may be further actions to take, including disabling Basic Auth / configuring Modern Auth, on the mail platform (Exchange Online or Office365), or on Azure AD.

 

Customer action required

This is a list of the potential steps needed depending on mail platform and clients used.

Platform side

Provided you are using a Microsoft platform and your users are logging on to mail via mobile devices, the changes below will probably be needed at some stage.

  • Platform side: Azure AD – registering MaaS360 Secure Mobile Mail client as an app

https://www.ibm.com/docs/en/maas360?topic=authentication-registering-maas360-app-in-azure-ad-tenantMaaS360

  • If you need to modify settings on for example Exchange Online, please see Microsoft document below.

Client side

You will also need to change the settings on your MaaS360 device and/or Workplace policies, to support this change.

MaaS360 Mail - change Workplace policy settings for Secure Mobile Mail client

https://www.ibm.com/docs/en/maas360?topic=sign-configuring-office-365-mail-single

Other mail client (non-Microsoft Outlook) – change device policy settings to configure native mail clients (iOS native mail, Android mail for up to And.7 or Gmail for And.8+)

https://www.ibm.com/docs/en/maas360?topic=security-maas360-policies-overview

Microsoft Outlook mobile client, managed via MaaS360 (in App Catalog and distributed)

If you already use, or are planning to use AppConfig, there is a field Secure Authentication type in the configuration that you can change. If you need more information about this check out my previous blog: https://community.ibm.com/community/user/security/blogs/eamonn-omahony/2021/01/29/appconfig-and-oemconfig

Supporting documentation

  1. Official notification of deprecation of Basic Auth in Exchange Online.

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online

While this document does recommend Outlook as the exclusive mail client, as above our mail client can also support Modern Auth.

  1. The blog below gives a very good overview of the change.

https://www.techtarget.com/searchwindowsserver/tip/Microsoft-modern-authentication-deadline-looms-over-Exchange

  1. Microsoft documentation on configuring modern authentication

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/setup-with-modern-authentication

 

Any questions or comments, let me know.

Best

1 comment
25 views

Permalink

Comments

Thu July 28, 2022 11:34 AM

Blog how to move from Basic to Modern Auth for both Secure Mail and Native Mail:
https://community.ibm.com/community/user/security/blogs/margaret-radford/2021/12/17/setting-up-modern-authentication-for-maas360-part1
Blog how to set up Cloud Extender Exchange ActiveSync module to use Modern Auth on the service accounts: https://community.ibm.com/community/user/security/blogs/lakshmeesh-c-hegde/2022/04/12/maas360-with-watson-for-cloud-extender-office-365
Blog how to set up Cloud Extender Exchange ActiveSync iOS Email Notification modules for Modern Auth:
https://community.ibm.com/community/user/security/blogs/rekha-puthusseri-veetal/2022/02/08/cloud-extender-integration-of-ibm-security-maas360