Hi all
Just to let you know that Microsoft will soon stop supporting Basic Authentication, which is a way of logging on to your mail when using a mail client. Anyone connecting to Exchange Online or Office365 mail account will need to have an updated way of authenticating, using Microsoft’s Modern authentication.
While this change is officially planned for 1st October 2022, we understand that MSFT have already begun switching off Basic Auth for a number of their customers. This means that some of our customers are already reporting that they can’t log on to their mobile mail.
Background
Basic Authentication is an older version of the password exchange for Microsoft platforms, and a less secure mechanism. It is being replaced with the Microsoft implementation of Modern Authentication (OAuth), which is the newer and more secure version of authentication to Microsoft platforms.
- Our Secure Mobile mail client can already support Modern Authentication, so customers just need to reconfigure their Workplace policy.
- For other mail clients it will be necessary to modify the device policy, on the ActiveSync settings page.
- On the platform side, there may be further actions to take, including disabling Basic Auth / configuring Modern Auth, on the mail platform (Exchange Online or Office365), or on Azure AD.
Customer action required
This is a list of the potential steps needed depending on mail platform and clients used.
Platform side
Provided you are using a Microsoft platform and your users are logging on to mail via mobile devices, the changes below will probably be needed at some stage.
- Platform side: Azure AD – registering MaaS360 Secure Mobile Mail client as an app
https://www.ibm.com/docs/en/maas360?topic=authentication-registering-maas360-app-in-azure-ad-tenantMaaS360
- If you need to modify settings on for example Exchange Online, please see Microsoft document below.
Client side
You will also need to change the settings on your MaaS360 device and/or Workplace policies, to support this change.
MaaS360 Mail - change Workplace policy settings for Secure Mobile Mail client
https://www.ibm.com/docs/en/maas360?topic=sign-configuring-office-365-mail-single
Other mail client (non-Microsoft Outlook) – change device policy settings to configure native mail clients (iOS native mail, Android mail for up to And.7 or Gmail for And.8+)
https://www.ibm.com/docs/en/maas360?topic=security-maas360-policies-overview
Microsoft Outlook mobile client, managed via MaaS360 (in App Catalog and distributed)
If you already use, or are planning to use AppConfig, there is a field Secure Authentication type in the configuration that you can change. If you need more information about this check out my previous blog: https://community.ibm.com/community/user/security/blogs/eamonn-omahony/2021/01/29/appconfig-and-oemconfig
Supporting documentation
- Official notification of deprecation of Basic Auth in Exchange Online.
https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online
While this document does recommend Outlook as the exclusive mail client, as above our mail client can also support Modern Auth.
- The blog below gives a very good overview of the change.
https://www.techtarget.com/searchwindowsserver/tip/Microsoft-modern-authentication-deadline-looms-over-Exchange
- Microsoft documentation on configuring modern authentication
https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/setup-with-modern-authentication
Any questions or comments, let me know.
Best