Update: The full timeline for retirement of Basic Authentication in Exchange Online is now published in Basic Authentication Deprecation in Exchange Online – September 2022 Update.
In about 150 day...
Updated Sep 01, 2022
Version 5.0
Blog Post
Hi ViliusS (& hopefully The_Exchange_Team too),
I'd requested of MS Support to advise if:
- Mailbox 1 could have
- Requirement for Authenticator when using OAUTH apps i.e. Outlook, thus Outlook only opens once User approves Outlook launch via Authenticator OR not launch if failed challenge....
- Still allow SMTP AUTH with BASIC - to be used for the SMTP Sending (presumably App Passwords) Backup/UPS status emails
- Mailbox 2 could have
- Requirement for Authenticator when using OAUTH apps i.e. Outlook (as above)
- Still allow SMTP AUTH with BASIC - (as above) for Backup/UPS status emails.
- IMAP Client (erroneously indicated as POP) mailer in the Medical App (which uses SMTP AUTH Basic to send)
Note: The Medical App Support have indicated that their app does NOT work with OAUTH /2FA at this stage i.e. doesn't work with 365 unless BASIC is on & 2FA off. This is/was where I understood App Passwords fitted in (but expect that Basic AUTH would still be required for these apps, being as the App is OAUTH unaware, to communicate). I explained that IMAP, as a protocol, can use BASIC or OAUTH authorisation, but the coding in the IMAP application would need to support the Authorisation mechanism, hence that their product sounds only to support IMAP BASIC AUTH to access the mailbox.
The customer accepts that they need 2 mailboxes, but is already baulking over the cost to their small business of the two 365 Mailboxes vs their old ISP stuff (ISP = less secure authorisation i.e. BASIC - yes, less featured - no shared mailboxes/calendars - yes, but worked with 2 mailboxes for the multiple purposes - costing approx $80+GST/annum for 5 mailboxes, but sharing much smaller disk space), so encouraging a further spend for the KIOSK Licence (which by the way USD $2/month, the price turns out is NZD $6+GST/month i.e. $72+GST/annum, on top of the over $110+GST/annum per each of the two other mailboxes) is not proving popular on top to separate out the Service emails.....
This article https://support.microsoft.com/en-us/account-billing/using-app-passwords-with-apps-that-don-t-support-two-step-verification-5896ed9b-4263-e681-128a-a6f2979a7944 doesn't really explain where these fit in. I mean, sure they're for Legacy Apps (remembering Legacy Apps will be BASIC Auth only), but given removal of BASIC Auth, then doesn't that mean that these are essentially now going to be redundant? i.e. App Passwords removed the 2 step process for apps that didn't understand that - aka anything that only used User/Password combo, & likely only supported BASIC AUTH as the authorisation process, hence dropping BASIC essentially means Legacy Apps die too.....
Reading doco is great, & I'm certainly not afraid of doing that, however doco does need to cover the needs of those needing to read it, & not be obscure to the point of the confusion for the masses like us. I've been reading various inter-linked docs from MS on these matters, (have been doing MS stuff for >20 years, thus am not unaware of the intricacies associated in working things out), but this issue's had me chasing my tail a bit too much, hence the continued ask - please, a simple doco to cover off a genuine how to make something like what I'm seeking to work work within the MS universe please.
In that doco, don't just cover the MS stuff, which MS will be actively updating, but perhaps focus on & cover off the fundamentals for traditional 3rd party App BASIC Auth Dependent apps stuff i.e. legacy mailers, SMTP senders, Multi-Functions) without need for SMTP relay (which is site targeted - yet still too wide for my liking - unless can do more in site router - which most SMB sites can not), App Passwords - can we use these with these apps whilst still maintaining the greater security for Authenticator for Apps that understand that?
We're literally having to consider extra mailer services outside 365 for our SMB customers just to do the housework emails, & for the integrated legacy IMAP mail/SMTP Sending medical mailer client, and this just seems crazy dumb..... We've got customers who have 365 but no Static IP, so for their Multi-Functions, they can't do Relays..... & setting up SMTP Relay providers & messing with DNS/SPF/DKIM etc.... this just doesn't seem logical when we have encouraged customers to do their SMB (not the network protocol of course i.e. no pun) business the MS way......
Hopefully someone in the The_Exchange_Team can please fill in the blanks (or even better, paint the fuller & workable picture)......
Appreciate everyone's guidance.
Regards
G