Update: The full timeline for retirement of Basic Authentication in Exchange Online is now published in Basic Authentication Deprecation in Exchange Online – September 2022 Update.
We previously an...
Updated Sep 01, 2022
Version 3.0
Blog Post
Greg Taylor - EXCHANGE Thunderbird does support OAuth IMAP, but they do it wrong...
1) Their Client ID and Secret are stored in the source code, meaning anyone can impersonate TB using a fraudulent TB app.
2) Their AzureAD Application is configured as a Confidential Client. It should be configured as a Desktop Client.
3) RE: Confidential Client configuration, Conditional Access policies do not work with Thunderbird configured with OAuth2 except for the initial authentication. Therefore admins cannot restrict access once a token is granted. Refresh tokens survive password changes/resets, so no reauthentication prompts. The only way to get a reauthentication is to expire the token.
Suggesting Thunderbird OAuth2 is not a real good solution for Enterprise. I have many Thunderbird users who are HEAVILY invested using Basic Auth IMAP right now. I dread the drop dead date when I have to break the news that they all have to go to OWA or Outlook because TB can't be used.
If you're at all interested, check out Case #s 21139004, 22203592, 120072824001696. They might all be linked up somewhere. There was collaboration between Exchange Team and AzureAD Team on the matter to come to these conclusions.
Jeremy