Basic Auth and Exchange Online – February 2020 Update

we are not able to download the Json file....any options....download failed multiple times

Couple of questions

1. we have not enabled Modern authentication in our tenant whether we need to enable before that

2. If we did not enable modern authentication, just upgrade the client version whether it will work

3, User will notice change in behaviour when we make changes to tenant with modern, can we do it on user level like phases instead of tenant level

@ph_lyThank you for posting.  Your solution worked for me. 

I removed the existing account from the Samsung Native Mail App, which was originally set up as an "Exchange Account".  I then added it back using "Office 365" as the type of account, as you suggested.  It made me log in with modern auth, and honored the multi-factor authentication I have on my tenant, and it worked like a champ.  Thank you again for posting the solution!

After I finish my testing, would you happen to know if there's currently a single setting somewhere that will require Modern Auth for all Exchange clients accessing my tenant?  I already have app passwords completely disabled in OneDrive for Business and SharePoint Online.

@Steven Seligman  Yes, you do this by using conditional access policies.  Create a policy that completely blocks activesync for all apps, and it will have the desired effect.  A modern authentication client (Apple Mail, Outlook, and now Samsung etc) is not considered ActiveSync from a policy perspective and will be still allowed.   

What we have done is that for anyone enrolled in MFA, they both get this block policy as well as a policy that blocks legacy authentication (e.g. POP3/IMAP).  Before OATH support for POP/IMAP, those legacy protocols are a back door for getting into a compromised account.

@ph_lyThank you again for generously sharing your expertise and time.  I greatly appreciate it.

@Greg Taylor - EXCHANGE - when I filter by Client App and only choose "Other clients" from the list, the results are not limited to "Other clients" but include all values of client app. I was able to recreate this on multiple browsers, devices, and tenants. 

So, with basic disabled, Exchange Active Sync will still show up in the report? I show IMAP/POP3 and Active sync as alive and authenticating.

Is this expected behavior, or is the report filtering not going to be accurate?

I apologize if this has been repeated.

Hello, we are seeing a lot of sfb clients in the logs. How we can remediate this issue?

@Britt Adams  - as the blog says - "but we’re rolling out a change very soon to make it available to all customers, providing them with a 7-day rolling report of client login activity. Once that change has rolled out the Identity team have a post planned for their blog that will help you use some of the more advanced features available within the report. We’ll also update this post when the report is freely available to all our customers." - patience required, or buy Azure AD P1/2.

@t-rev - checking, can't repro that. But my Azure friends are looking at it. 

@securityDM - sounds like Basic isn't disabled if you are seeing sign ins using Basic. How did you disable Basic? 

@Alex Chacko - there have been suggestions for SfB in the comments

Take the "Operating System" column with a grain of salt. I've found that in most cases, using Office 2013 apps like excel.exe and winword.exe to access O365 resources cause that column to register "Windows 8" when it's a Win10 machine. Win10's searchprotocolhost.exe (unclear why it's accessing AAD at all) also does it.

@Greg Taylor - EXCHANGE Hello, what to do if we have exchange and SFB services are hosted in online, MA enabled in tenant level for both and still seeing SFB clients in the logs? 

To see sign-in data, upgrade your organization's subscription to include Azure AD P1 or P2. Your current license status: Azure AD Free  

:(

Hi

I have a couple of questions.

My company uses BT in UK as host for mail and domain etc, the mail is backed off to MS. BT only give 1Gb of mail storage so really small. The company uses high resolution images and documents all the time, they also have many sub folders of the inbox. (I've tried to stop this!!)

Consequently, all their outlook mailbox's are set up as POP so that emails are retained on their PC's and then removed from O365 after 7 days automatically to stop the mailbox filling up.

How will this change affect these users, I don't want to use exchange account as this will lead to the mailboxes filling up in a few days.

Advice please?

Thanks

About Thunderbird support: this blog post tells that IMAP should support OAuth, and since Thunderbird supports OAuth as well it should work. This is how you enable OAuth in O365: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-mo... I did this, however, Thunderbird still says that "The IMAP server outlook.office365.com does not support the selected authentication method". So I'm not sure whether this is supposed to work or not.

@Greg Taylor - EXCHANGE— your time is precious so I'll be as succinct and terse as I can—apologies if the tone is too critical. Though I've worked with Exchange since v4 on NT, I do not think you have thought this communication, and especially your today's (28 Feb 2020) mass mailing titled "Basic Authentication Retirement - Updated Info" from the perspective of small and medium business users who subscribe to O365 but are disinterested in the inner workings of your service and its relationship to Azure AD. Your email has clearly been targeted at enterprises and you missed several key points:

• The report for checking authentication type mentioned at the start does not work for regular O365 Exchange users who only have a bundled free Azure AD—I am being told I need to purchase an enterprise Azure AD plan just to see which few of my colleagues may not be using OAuth. Won't happen.
• The steps to filter and find out what is modern auth and what is not in that report are much too complex—you need to make it super-clear who is running what and offer that report for free, if that matters to you. Better, forget about pushing this onto the customer, and sort it out on your end with a clear, customer-specific, targeted email showing who has what issue. A bit like AWS does when important change is imminent (RDS certs and auth come to mind in the last couple of months).
• Our organisation, like many of our business partners, *only* uses iOS devices with no Windows (Phones, tablets or PCs) in sight. I am afraid you have made a veiled comment that the native Apple iPhone and iPad app will stop working and you suggest people must switch to Microsoft Outlook, and anyway it is "better" as per the quoted Forrester paid-for marketing bit.
• Let me be clear: Microsoft Outlook is an inferior mail client on iOS devices in comparison to Apple's for many reasons: lack of both broad and deep integration into the rest of the iPhone and its apps (VIPs, notifications, reminders, Watch, data scanners in other apps, flagging, sync with desktop, iMessage, browsers to name just a few), poor iOS Calendar and Contacts integration causing duplication of data, unexpected loss of data/emails in its offline behaviour, too much reliance on constant connectivity, poor recovery from networking issues, poor authentication experience for customers who have both an organisational and a personal identity. Further, I, and many others, place much trust in the Apple ecosystem, preferring its apps to Microsoft's, notably because of Microsoft's privacy policy that does not, by default, stop its behavioural data collection/telemetry. In my industry, that is not acceptable.
• If by virtue of this authentication change you are trying to make people abandon the Apple mail client in iOS or on macOS desktop you will find us, and I am sure many other "long tail" customers switching to another email provider. That would also mean a loss to Teams and other O365 departments.

Perhaps you are doing everything fine and there is nothing for iOS users to be worried about and it was all just a poor piece of communication. I really hope that is the case! If so, please make that clear. Please send much less technical mail missives explaining that. Even better, segment your mailings by the type of the user: if they have a paid Azure AD which they use extensively, go ahead with the above, but for the rest of us, just give us a good, worry-free service. That'll buy you another 10 years of great many O365 subscriptions. Thank you.

@RafalLukawiecki Maybe you missed it but as long as you are running iOS 12+, it supports both Modern Authentication and MFA if you decide to enable this. We run this for multiple customers. The problem is however Android since many models does not support Modern Authentication in the native app.

@RafalLukawiecki As Jonas indicated, the native mail app in iOS and Mac does support modern Auth.

Also, the question on the active directory report has been answered several times in this thread and is coming for non premium customers. 

For Android users, being a long time one myself - Samsung is supported, and the Outlook app is by far superior to any native Android client at this point.  Some users will have to switch.  You have.a half a year to prep them, or those apps may have updates by that time. 

Oh, and I think you are dead wrong on Outlook for iOS as well.  Our users who have made the switch generally find it vastly superior and have none of the problems you are describing.  Have you tried it in the past year?

The superior search experience alone is wroth the price of admission. 

@Jonas Back there is an issue mentioned by an earlier commenter that the free Office 365 MDM provisions an iPhone Work Email profile that is configured for basic auth when you use the "Require managing email profile" check box.

This causes problems when you try to use MFA as the device constantly prompts for a password. Took me months to crack it as it's not very well documented! Seems the upcoming change here will also break it outright for non MFA users.

They need to fix this ASAP, it has been months and months with no update on it.

Thanks for the blog - it explains a lot of the changes I've seen in our tenant. However you might need to give a heads up to technical support, as I've raised a few tickets in the last couple of weeks and support don't seem to know about the changes.

We block access to IMAP for the majority of users 18 months ago, however, in the last few weeks, IMAP4 connections have appeared for these users. Is this OAuth IMAP? Of the handful a looked at yesterday, the user doesn't know what app is accessing their data. Googling suggests the client agent that we see, CBAinPROD, is malicious.

Please can we have a better way of flagging this up issue to users. Downloading the sign-in reports and asking a customer to remember which machine they were using at 2pm last Tuesday isn't a speedy way of identifying the issue.

In the Identity Protection | Legacy Authentication report, only 5 client apps are selected (I used to able to click on these to see which 5, but that doesn't work now). This report also includes applications that are not Office 365 Exchange Online - I assume these applications are not affected by your changes? Why not list the 13 client apps, mentioned above, in this report?

Can we have a tick box for "Basic Auth" in the sign-in report? Clicking 13 boxes multiple times a day when the browser times out is a pain!

We have had Modern Auth enabled for quite some time, however new Macs are still connecting with Basic Auth. I'm still investigating, however it looks like you need to disable Legacy Auth to force Macs to use Modern Auth and also we've needed to delete their profile and recreate. We have 500 users in this predicament.

Having greater visibility of the user agent in the exports will be a great help. Identifying as "Microsoft Office 16.0" when this identifier is used for Office 16, 19 and Office 365 is a pain. I now know to look at each person individually. Please turn the strings like "Microsoft Outlook 16.0.11929" into the human readable version without us having to resort to Google. With over 600 different user agents, it's still a bit of a headache!

As t-rev mentioned, I get the following error when the JSON download fails: Given data uri is not formatted correctly with data uri syntax. It's worked once today and does import into Excel OK. Note: if you "...select any item in that list you’ll see the details in the window below.", then the Transform tab disappears. Skip to the next step instead of selecting any item.

The JSON download doesn't include the status of the sign-in. It's quite important to know if it's successful or not.

There seems to be an expectation that any OAuth connection is OK. We would like to retain email, as far as possible, within outlook. Is there a simple way to stop OAuth connections to email from other clients, for a subset of our users, eg Legal?

Couple of questions and it is not clear. Seems Microsoft need to extend the date

1. Report not working as instructed it will delay to analyze the user impact

2. Excel support does provide but it is over all sign in report

3. we need to identify what is the impact or error message when they don’t have registry file for outlook 2013 to communicate to end users 

4. if we enabled modern authentication what will happen to the existing users whether it is going to prompt again for the password 

5. whether MFA need to enabled internally for modern authentication 

How we can report for pop and IMAP with the application name so we can update them 

We still not seeing OAuth as one of available option for POP3 when trying to connect to outlook.office365.com. Can someone confirm that it works for POP or IMAP as it mentioned in the blog?

@Greg Taylor - EXCHANGE - tested the "Other clients" filtering again this morning and I am now seeing proper behavior in our tenants. Looks like the Azure team straightened it out or perhaps something was still propagating to our tenants yesterday. 

JSON download update - I can download very small data sets, for example "MAPI over HTTP" returns four rows for a short time period and allows export. Exports that contain larger data sets still consistently fail. Also thought to give the Azure Portal app a try and see the same results.

@EugeneYa "We’ve completed our development work and are rolling out Modern Auth support for POP and IMAP in Exchange Online now."

It is not enabled everywhere yet.  Wait for it to be deployed to your tenant before testing.   Also your clients have to support it, I suspect few do. 

I understand the access protocol I use and the authentication type I use are two different things. If I now look for the client app "IMAP4" in the Azure sign-ins, they will be showing Basic Authentication, but if those clients are changed to use Modern Authentication, they will no longer appear as "IMAP4"? This seems rather counter-intuitive.

If it is not possible to show Modern Authentication IMAP4 sign-ins as such, then at least it would help to show that string as "IMAP4-Basic Auth" for clarification.

@ZoltanLehoczky as far as I know thunderbird will need to be patched to support OAuth for Azure AD.

The dark side of oauth is that every provider needs special support in the client. At least to learn the provider endpoint URLs, and in the case of Azure AD, to do the specific things that are different from Google related to refresh cookies and public clients (eg PCKE).

So, until Thunderbird is patched to support O365 it won't work. Hopefully once MS provides the developer documentation someone will start on that. It is also a little unclear to me how Mozilla will get itself a client id.

It is very hard to see how the October deadline is feasible at this point, when it is now March and there is no developer documentation, and no date for SMTP roll out, and not even a prototype patch to make Thunderbird work.

@Jason_Gunthorpe Smtp Auth is not a requirement for thunderbird in October.  They are not blocking legacy Smtp at this time. 

You could use IMAP instead of pop, on the off chance they it is not patched by then. 

@Jason_Gunthorpe I see, thanks, that's an issue. With no actual OAuth available for IMAP in O365 as it seems there's no way the whole world will be able to support it until October. Here`s the Thunderbird issue about this.

@ph_ly in Thunderbird IMAP uses the same authentication options as POP3 I think, which is basic auth and OAuth2, among others. If OAuth won't work with Thunderbird then that means that it won't support O365 at all (apart from with paid add-ons) come October.

BTW apart from the examples mentioned here already, CRM tools with e-mail integration are another area where both IMAP, and in the future SMTP will need to be patched.

@Philip Lyle I can't see thunderbird accepting some hybrid scheme where IMAP is OAUTH and SMTP is basic. It doesn't look like they have the infrastructure to manage such a complicated configuration. Frankly I think most vendors of Mail clients will take this position and refuse to progress on OAUTH until MS provides the full solution.

Perhaps if MS confirms that the existing solution for outlook.com will work the same with O365 (ie the wl.imap scope and XOAUTH2) then people would progress to implement and test outlook.com support and O365 can drop in when it is ready. The silence from MS is not helping developers support their platform.

@Greg Taylor - EXCHANGE 

We disabled through PowerShell and we have users that cannot connect using basic. However, IMAP and POP3 still show up, as well as other ActiveSync devices. It appears, on a top glance, that these protocols are supporting modern auth.

When making the selection in the report that the article advises to, some of these devices are on the latest OS and client, so using that in one of the 13 filters is not beneficial, nor accurate.

And I have a confirmed user logging in under IMAP with basic authentication, yet it is disabled for the user. They showed up in my AD report as a success. I see quite a few successes when it's disabled globally.

@Jason_Gunthorpe It would not be complicated to have separate settings.   Outlook does this already.

In any case, Thunderbird is a red headed stepchild of Mozilla.  They have known about the deficiency for a while.  I don't have much sympathy.  That thread you linked to didn't really say anything, and the one official response didn't suggest much of an understanding of modern authentication (and was a year old). 

Other apps are mostly already on board, at least those with active development.   The issue will be with the smaller, non developed applications that check email. 

We need to be able to use Azure AD PowerShell to find out who is using Basic Authentication for easier reporting. Please vote this up if you are interested in seeing this option: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/39818251-return-value-fo...

Good write up and thanks for early warning. I help a small non-profit organization that relies on Office 365. We use Azure AD Free and as such the "Sign-ins" report you linked is not available. It says it requires premium Azure AD P1. My users have a variety of access methods from windows 10, MAC, android, ios etc, and I want to assure they are not impacted by this change. Anyway the reporting can be provided to us low users? We are very tight monetarily and can't justify additional IT cost. 

Thanks.

Feed Iowa First.

@Jason_Gunthorpe Thunderbird supports having separate auth settings for the same mailbox's IMAP and SMTP (I don't think you can actually have them the same).

@GregTaylor It seems that Modern Auth doesn't work for EWS with users with personal accounts.  Is this a bug, or a known limitation?

Unfortunately can't see the sign-in report with E2 version

Is there away to force a single user to use modern auth? I don't want to enable modern auth for our tenant and then have a bunch of angry user's having to resign in. I also have concerns with our VDI environment as well that I want to make sure that this wont be an impact there.

Use conditional access rules.

Tested with a POP3 and it connects. It won't completely sign in, but it will authenticate to Azure, but I don't think it can reach Exchange online.

It's not enough to turn it off and even then those categories to block/filter show updated and active devices using modern auth under the category that states it's BASIC. If I set up a rule to block them, it should terminate access to a device using current standards.

Busy past 24 hours here. Great to see so much interest and activity. I'll take a go at answering those I can. 

@Alex Chacko - I suggest taking a look at the traffic using Fiddler and really see what's going on. MA being enabled doesn't mean it's being used. Outlook and Lync might need some reg key or other settings to make that switch. 

@WightKnight1119 - the change to make this report free to all is coming very soon I hope. Anyone with P1/2 can see it now, anyone without will have to wait a little. 

@ukchri2 - If we host your mail (which BT re-sell to you), you will be affected. You should reach out to BT support and point them at this blog, but same advice applies as to anyone else - if you want to keep using POP3, you'll need to use an OAuth capable POP3 client. 

@ZoltanLehoczky - we are still rolling it out, so it might be that it didn't get to your tenant yet. We have a lot of servers to roll these changes to. A lot. 

@RafalLukawiecki a few points (and I see others have helped answer your questions too - thank you for those that did);

• Access to the report does not require you buy Azure Premium - it will show up for you, for free, very soon. As it says clearly in the blog. 
• The steps are complex, regardless of your org size. As we said in the blog we know we have work to do to make it easier to use, but if we waited for that alone, it could be weeks (or more) more. 
• iOS devices are great. I use iPhone, iPad and a watch - but the native mail app isn't as good as Outlook imho. But if you want to use it - you can, as it supports Modern Auth. So there's no issue. You use your client, I'll use mine. I'll get more done, but that's me. 
• Let's agree to disagree. 
• Again, if you want to keep using modern Apple devices, they will work just fine. I think you need to re-read some of the blog and the comments. It's actually pretty clear that native apps on modern iOS devices will work just fine. 
• We don't just care about Enterprise customers, I really don't get why you would say that. I think you need to read the details in the blog. 

@Anthony Cotton - Support should know but we'll keep reminding them. There's a lot of change for them to keep up with, for all of us. CBAinProd is an internal bit that essentially means EXO asked Azure AD to auth the user - the auth attempt is proxied from EXO to AAD with Basic. In OAuth the client is redirected. Essentially CBAinProd is not useful for you, other than it says 'Basic was used here'. It's nothing to worry about. 

You also seem to have some funky connections there. The reporting isn't at all perfect, we know, and we're working on making the filtering far more intuitive. Thanks for the feedback. Disabling legacy shouldn't be required for new Macs to use MA - open a support ticket, let's have a look at that. Your last question about controlling which users can do what - Auth Policies and Conditional Access. See if that does the job. 

@Sankarasubramanian Parameswaran - #3 - if the reg key isn't present the client uses Basic. There's no error. Unless you disable Basic, in which case the client won't connect. #4 - if you switch users from Basic to Modern, they will have to authenticate, then the tokens are cached and they won't need to auth for some time. typically. #5 - no idea what that means. And not sure what you mean in your following question about POP and IMAP - but POP/IMAP don't include app ID in the protocol. You can see the user who is using POP/IMAP - go ask them. 

@EugeneYa - it's still rolling out. Patience please.  (thanks @ph_ly for answering that. Can you tell I'm scrolling...)

@t-rev Glad it seems to be working again, Azure must have put more food in the hamster cage. 

@SaschaSeipp - yes, it's a bit weird that IMAP doing Modern Auth won't show as 'IMAP' - we'll try and fix that in the future. 

@Jason_Gunthorpe - The docs are nearly ready. We just need the scope changes to light up in prod too, then we'll release what you need. 

@securityDM - If you have disabled Basic, yet users are still connecting - then it might be caching - give it some time. it's not instant. 

@Feed-iowa - The report will be free to all once the roll out completes. Then you can see for yourself what is being used. 

@joel_shafer - what is a personal account? Modern Auth works great for EWS for O365 accounts. If you mean an MSA, not an O365 - then you are correct, and nor will it. 

@nmyfs - the answer to your question is in about 15 different replies, and in the blog itself. Happy hunting. 

@joshuaholcomb - If MA is disabled at the tenant then no Outlook for Windows client can do MA. EAS and Mac Outlook can and will though, they ignore the org wide setting. 

@Susan Bradley - a good life lesson and PSA. 

I'm off to have a lie down now. 

I have blocked usage of POP, IMAP and "Authenticated SMTP" for all our O365 users via Microsoft 365 Admin Center,  Active Users, "Manage email apps" to prevent password spraying attempts on accounts with IMAP, POP and SMTP enabled. Something I understand could have been a problem even though we have MFA enabled on all accounts(?). That caused problems for some users that still used IMAP.

Question: you write about adding Modern Auth support to POP and IMAP for O365 commercial customers. Would that mean I can turn IMAP, POP and "Authenticated SMTP" back on? Since the change you are doing in October 2020 will remove all possiblities for Basic Auth anyway? 

Thank you. 

@ThinKing - yes, as long as the client you use supports Modern Auth for POP/IMAP. 

But honestly, if you have turned off POP and IMAP and switched users to a more capable and feature rich protocol and client - why would you? If they are using Outlook and MAPI now, or OWA, going back to POP and IMAP is going to be like stepping back in time. Move forwards, not backwards. 

Hi,

I've just checked out the sign-ins report, and see our Surface Hubs are still using Activesync basic authentication. From the (admittedly 2 year old) documentation - https://docs.microsoft.com/en-us/surface-hub/on-premises-deployment-surface-hub-device-accounts - ActiveSync Virtual Directory Basic Authentication is required to be enabled as the Surface Hub is unable to authenticate using other authentication methods.

Is this still true? Do you know when the Surface Hubs will support modern auth?

@Dylan Baars - We are aware of the SurfaceHub dependency on BasicAuth and the corresponding team is engaged.

On the Skype client using Legacy Authentication;

Behaviour I've seen is that the cached credentials will cause Skype to keep using Leg.Auth. By selecting "Delete my sign-in info" you will force a new authentication for the client and if all requirements are met it will use Modern Authentication.

Hi @Greg Taylor - EXCHANGE 
Thanks for your clarification on the sign-in report (ActiveSync). I am however confused by the wording in a Conditional Access policy which I would like to use to now block Legacy Auth EAS (Step 4 in the EXO flow). I understand the AAD team responsible for the CA policies is not the same as the AAD team responsible for the sign-ins report and so things might need to catch up, but for clarification. If the policy were configured like this, would only LegAuth ActiveSync be blocked and would IMAP,POP3 Etc also be blocked too? (Assuming the grant access control is set to "Block" in the policy):

Would the "Apply policy only to supported platforms" ONLY apply to ActiveSync Modern Auth clients? Shouldn't there be the option to apply the policy to "supported ActiveSync platforms" in addition as well as, not exclusively?

I think this is where I get confused. Perhaps an example of when I would check the "Apply policy only to supported platforms" option, might help.