Released: March 2024 Exchange Server Security Updates

I had a user today put a ticket in for the authentication error in Outlook for Android. No changes were made, so assuming the token had just expired. We tried to re-set up that user and a few test accounts and none worked. If we used UPN we would get "check user name or password" but with the domain specified like it was we would get the "An error occurred during authentication please try again". I don't think it's the Outlook app version, mine that works, and our fresh install test devices all have 4.2410.0 so it's either the March update or MS made back-end changes recently. 

This March update is going great, thanks Microsoft! I know, I know, how dare we use on prem exchange.

We are having the issue where new enrollments to outlook mobile app no longer register but previous to march updates work correctly.  No work around so far has fixed this issue.  This is for both android and ios.

Same issue with Outlook mobile app and on-prem exchange, didn't installed March update yet. If the account is already setup everything works, if the password resets or adding an account it won't authenticate. This is for both Android and iOS.

@mati5000 so the outlook issue not caused by March SU? ummm I will remove my profile from outlook on my iphone and try to re-add it. 

I can confirm.. I removed my account from my iphone Outlook app, power cycle my phone and attempted to re-add the account. It fails. 'unable to login'. FYI, the outlook app was updated today. 

Also, I omitted the 'Domain' field and used my email address as account name and I got 'Unable to login - please check your email address and password and try again' error message.

Server 2019
Exchange 2019 CU14 (no MAR SU)

iPhone 13 iOS version 17.4.1

Outlook App version 4.2410.0

@mati5000 Did you by chance install the windows out of band update for Domain controllers recently?

https://support.microsoft.com/en-us/topic/march-22-2024-kb5037422-os-build-20348-2342-out-of-band-e8...

@Brianmsb not yet.

Exchange 2016 and 2019 (no MAR SU)

iPhone 13 iOS version 17.4.1

Outlook App version 4.2411.0

using the Gmail app or built in iPhone apps works.

@mati5000 Can you confirm you are on outlook 4.2410.0?

@Brianmsb I have not installed the OOB update yet and I am having the issue with Outlook mobile. are you having issues with the OOB update? I will be installing it tomorrow. 

@ceantuco We installed the oob earlier this week, just was wondering if that may have caused the issue but if you haven't installed it makes me think that OOB has nothing to do with it.  Also earlier this month installed the Exchange 2016 march SU.

I believe we are using 4.2411.0 outlook app.

@Terrymmd91 I was on Outlook 4.2410.0 had the issue and updated to 4.2411.0 same issue.

@Brianmsb yeah I don't think the OOB update is causing the issue. We haven't installed the March SU yet. 

@mati5000 so the issue is not due to the new version of Outlook app.... it must be on the MS side.

I have iOS users attempting to access webmail and receiving a basic credential prompt which they cannot dismiss. This is after enabling extended protection on CU14. When I disable the extended protection I am able to login find to webmail. This only seems to affect iOS as I can login via android and desktop browsers fine.

Thanks @Nino Bilic!   

@TimDJordan Can you check #3 over here (setting on two virtual directories that could impact iOS / Android clients): Exchange Server support for Windows Extended Protection | Microsoft Learn 

@Nino Bilic So what about the growing number of people having issues with Outlook mobile now? multiple sources are reporting the same issues. I like how the "contact developers" on the Android app goes to a noreply, that's helpful.

@Terrymmd91 At this time, I do not know what is going on with mobile Outlooks having issues. Based on comments (several) - the issue is not tied to installation of March SU. Trying to see if I can repro.

@Nino Bilic 

we have the problems with adding email accounts on mobile outlook on iOS and android. Same problems as other users reported before.

We use Exchange 2016 CU23 as the DAG function. Our problems arose after installing SU in March 2024

>I was talking about activesync (Gmail in android). I confirm that I have the same issue in the Outlook for iOS and >Android app.

>When I mention I omited the domain was in the configuration of the Gmail App (my email is diferent then my upn)

I'm running Android version 14 on a Pixel 6a (The Pixels are the reference versions of the phones that Google develops Android on) and in the Advanced Settings of that email app there is now no separate box for Domain.  Instead the box is labeled "Domain\Username"   And, I did include our internal "pre 2000K" domain as part of the username (domain\username) on that line.  We make users put in the domain\username when they access OWA as well.

According to:

Release notes for Outlook Mobile - Office release notes | Microsoft Learn

The following recent Android builds were released for the Outlook Mobile client:

Build v4.2411.0

Build v4.2410.0

However when I install the app from the Play Store I get version 4.2410.0 not the March 25th version.   Plus, the Play Store entry says the app was updated March 21st.

The following website purports to have older versions of the Mobile client I will take a look and see what I can find and report back.

Older versions of Microsoft Outlook (Android) | Uptodown

I downloaded and side-loaded the November 29 version 4.2345.1 version of Outlook Mobile and it too fails to authenticate in.  I tried going further back but very quickly I run into errors where the program complains that it is incompatible with the current version of Android and I need to contact the manufacturer for a newer version.

So I really do not find ANY evidence at all that anything other than the March update broke this.  In short, the statement:

"At this time, I do not know what is going on with mobile Outlooks having issues. Based on comments (several) - the issue is not tied to installation of March SU. Trying to see if I can repro."

is NOT a correct summation of the issue.  This was absolutely triggered by the March SU update and the evidence points to some developer at Microsoft thinking that they know more about administering mail servers than their customers do and trying to force some changed option that they think is lovely, that breaks their very own mobile software (and NO other competitor's mobile software)

Nino if you are unable to reproduce I can give you a test account on our Exchange server and you can see the problem for yourself.

The envelope icon is described as cosmetic but some find it annoying.  Is there any plan to fix this?

My 2c on this or any other update affecting on premises servers while looking after 50k or so on prem stuff while migrated 20k or so.

1.My aim is to apply any security update asap.

2. Then trying to test any update in a test environment, however don't have time/luxury to test all possible scenarios.

3. This time there are many issues and I would suggest to read the whole thread first.

4. I completely agree with all here that there is some quality control lacking on MS side when releasing patches that break on prem premises.

So my options are:

- I have to explain to higher-ups that I am OK to patch anytime but there will be couple of major issues (cosmetic or not). Maybe the decision is to wait or not. Functionality vs Security.

- maybe MS comes with some fix really fast

EXO seems to be the way we are getting guided towards, but I have encountered way more functional issues than I have ever had to deal with once going to hybrid and started migrating. So sharing some thoughts before the thread gets locked.

Just sharing some items that might help some (based on resolved or pending tickets):

- Outlook Mac fails GAL lookup due to EP ( that was a long back and forth and frustrating process with MS support until MS tweaked their own EP docs)

- MS disregarding MX records pointing to on prem and delivering straight into EXO envir because of "shared customers MS environment/datacenter locations". That was a disappointment and finicky workarounds.

- Send as alias introducing issues (well it might be still a "beta") and OOO and redir leaking addresses as onmicrosoft.com to external recipients instead of actual domain for those types of messages,

- MS Teams free busy glitch in hybrid for on prem user calendar availability (no resolution on this one as I have understood..rather than migrate all)

- terrible daily throttling EOP delivery to EXO via hybrid connector to EXO for specific environment when sudden uptick on message rate.

I might have no choice than to patiently wait for a patch to fix the patch.

Research before patching if possible.

I guess things can break, so lets give MS some slack while they are looking into this issue.

@Nino Bilic since we have installed the March SU on multiple Exchange servers in different Active Directories we experience some strange issues. At least the add-ins are not working anymore (at least on every Exchange 2016 server).

Users are not able to use (e.g.) the "My template" add-in in OWA anymore:

Basically, every add-in isn't even loading in ECP. Is this a known bug?

Hi @derSchweiger. I and @chrlie experience same issue as you (no other problems from thread noticed so far in my environments).

But I think it’s not yet acknowledged by exchange team (or At least it’s not on known issue list yet).

Did you had any success finding something?

@Jakub1994 good to hear that we are not the only one facing this issue! :)

Yeah, I've tried to dig a little bit deeper but haven't found any hints yet. Since we have installed this SU on 10 different ADs and we experience this issue on every single server, there must be a general problem with this update. 

@derSchweiger can you check if plugin works for users

that are in mbx database that’s active copy is on the same server that active mbx database containing all arbitration mailboxes). It’s seem to be working as workaround in (in owa - in outlook it requires to manual logon)  but completely defeats purpose of dag.

@Jakub1994 this issue occurs on single node Exchange servers (with just one database) too.

Ok, so the setup I described is more a unicorn scenario than valid fix. Thank you for sharing that info

Hi derSchweiger, this issue is probably related to "Download domains not working after installing the March 2024 SU" , as in our environment user can edit office document (OOS) in OWA, and MS support indicate that the possible cause.

@Ted_Mittelstaedt @dbkgict @Terrymmd91 @TimDJordan @mati5000 @Brianmsb @ceantuco @Peter2220 @Tonaco @dbran And anyone else asking about Outlook Mobile sign-in issues:

We believe that we have identified the problem causing this. It is related to a service side change that was just timed similarly to when release of on-prem updates were released but is completely unrelated to Exchange Server CU or SU updates. Rather, it is related to a Cloud Cache service side (see how this works here: Using hybrid Modern Authentication with Outlook for iOS and Android | Microsoft Learn). We are working with the relevant service team to address. We are still investigating the details of this but this would explain exactly what is going on.

@Nino Bilic thanks for the update. We are not currently hybrid, but I know MS proxies the mobile connections so that makes sense. 

@derSchweiger @Jakub1994 @Tonaco Acknowledging the add-ins issue. Now added to know issues above. We have a repro (and a possible fix). To be continued...

@Nino Bilic thank you!

@Nino Bilic thanks for update! Please note, we are not Hybrid. We have one on Prem server. 

We are not hybrid either and this is the first time I have heard that MS is proxying the authentications from Outlook Mobile client.  I have NOT seen that URL from Microsoft Learn referenced in any of the Google Play documentation for Outlook Mobile.  I do thank you for at least disclosing it here.  I will definitely circulate it as well as this info to everyone I know.

Now I understand why Microsoft does not publish the code for Outlook Mobile because the very first patch that would be released for it is one that cuts that proxying right out of the application.

Who the heck do you think you are that you have the right to collect email addresses and passwords to them in your proxy cache server WITHOUT notifying any of the people downloading the Outlook Mobile app?

Oh, right, you are the folks making the app available FOR FREE.  Now I know WHY it's free.  From your view it's a quid-pro-quo, the "customer" (more like the mark or the sucker) gets the free app, and in exchange you get marketing data, their email address and password on top of it.

Don't you people understand some countries in the EU have actual laws requiring disclosure for this kind of thing?  Unlike the US which allows this sordid kind of information gathering.   Oh wait, I see on that URL page:

"On-premises accounts leveraging hybrid Modern Authentication with Outlook mobile are not supported with Office 365 US Government Community and Defense tenants, Office 365 Germany tenants, and Office 365 China operated by 21Vianet tenants."

So in other words none of those organizations can run Outlook Mobile, legally.  Yet the US Government was compromised last year in the last major O365 attack so clearly, many of the US Government offices aren't aware of this.  Why?  BECAUSE YOU DON'T MAKE WHAT YOU ARE DOING OBVIOUS by disclosing it on Google Play.

Frankly I think you are violating Google Play rules by not disclosing what you are doing but that's not my problem.  You probably also are violating the Apple store rules as well.

How can we trust you that this fancy "hybrid authentication" AKA Microsoft stealing email addresses and passwords is limited to JUST Exchange servers?  What about the various Linux mailserver projects that create a mailserver that has all the same authentication API's that Exchange uses like ActiveSync?  Are you man-in-the-middle collecting passwords and email addresses and userID's from them, too?  What about the IMAP clients do you use your proxy to collect authentication information from those, also?  How can we tell?  You don't publish the code for the mobile app!

I'm quite sure your sales and marketing department is regularly given reports of the top 100 domains that are passing through your authentication servers so that your salesguys can go hump those organizations legs for O365.

And don't think I'm letting Google off the hook on this one either as I have absolutely no doubt that they do the same **bleep** thing with their email app - not to mention that they already get the email address from the gmail address in the phone anyway, but they can collect all the additional email addresses from additional email accounts added to the Mail app in the phone, just as you are no doubt doing.  Except, oh wait - THEY PUBLISH THEIR MOBILE EMAIL CLIENT CODE so if they attempted this we would all know it.

God how it disgusts me how dirty this industry has become over the last decades.

Folks, I was sending email via UUCP before Internet email even existed.  We never ever intended for it to get this filthy and we did the best we could to try to make it impossible for this kind of thing to happen when designing protocols.  I'm sorry we failed but it just proves once more that money is the root of all evil and when you get enough of it, it will corrupt ANYTHING.

Pardon my naiveté, but the Outlook app proxies authentications through Microsoft, even for on-prem-only deployments?  

Do the built in iOS and Android Email apps do this?

Confused and potentially very concerned about this; but I'll bite my tongue until @Nino Bilic gets a chance to respond.

Thank you.

@4ppl3c0r3 My guess is yes. I have an on-prem server (no hybrid) and users using the Outlook mobile app experienced issues. I had to move them to iOS mail app. 

@ceantuco @Ted_Mittelstaedt @4ppl3c0r3 Note that this here is not Outlook or Outlook Mobile blog =) but, have a look at the Outlook Mobile architecture here: https://learn.microsoft.com/en-us/exchange/clients/outlook-for-ios-and-android/use-basic-auth?view=e...

EDIT: More about password consideration here: Passwords and security in Outlook for iOS and Android for Exchange Server | Microsoft Learn

@MikeM1220 yes, we plan to fix the envelope issue as well.

Nino, our cyber insurance policy does not allow enabling basic authentication on Exchange. (at least, not on any Internet facing stuff that _they_ can scan, lol)

Ya all must a got to 'em before we did! ;)

But you make an EXCELLENT point.  So why don't you tell your Mobile devs to put a user override into the app code so that when we are setting up a new user on it, we can select basic auth as an option to override hybrid auth via the proxy.  Cause, right now, the mobile app will ignore basic auth if it can do a proxy hybrid auth, it favors that and does not give the user a way to override it and force basic auth.

Your idea!  So off you go and tell them that!  It won't help me but I'm sure plenty of admins will enable basic auth to get their users back online.  It's also useful to support older Outlook 2007 clients that are "officially" unsupported on later Exchange versions (oops, I probably shouldn't have mentioned that, ha ha) 

Also, don't you think that your Mobile people should be also investigating why Playstore isn't handing out the "latest" 4.2411 app version?  After all if their fix does involve updating the Mobile app itself, it will be kind of difficult to do that if it's stuck at the 4.2410.0 app which it appears to be.   Or possibly the junior programmer forgot to change the version number in the latest binary....

Anyone having an issue printing Calendar in OWA after the March SU? You go to print the calendar and no pop up to print, nothing happens. 

Je have this issue before the update. We still have

Thank you. Will have to wait for next update and hope it gets fixed. 

I think Microsoft removed the button. I have been searching but I can find the information we collected when that happened.

>Anyone having an issue printing Calendar in OWA after the March SU? You go to print the calendar and no pop up >to print, nothing happens. 

Works for me.  Try both Edge and Chrome and do it from a workstation in workgroup mode just in case you have some GPO for Edge that's messing with it

We also have an issue with printing calendar from OWA.
Also, I understood that Exchange version will be changed to Version 15.2 (Build 1544.9) after installing the March 2024 Update, but it is not. I am still having Version 15.2 (Build 1544.4).

Found, that URLs for download S/MIME plugin for MS Edge and Google Chrome now doesn't work:

https://contoso.com/owa/smime/SmimeOutlookWebChrome.msi
https://contoso.com/owa/smime/owasmime.msi

Got this url:

https://contoso.com/owa/auth/errorFE.aspx?httpCode=500

And this:

X-ClientId: 05CFAC82106F4E799D95FC49AF400744
X-FEServer exchangesrv01
Date:3/29/2024 12:40:57 PM

  UPD: i uninstalled SU from my test stand (Exch2019 CU14, WinSrv 2022 Std) and both of links above start working.

We are also having issues printing calendars from OWA. I do not get any error messages, after selecting to print work week or day, the printer icon does nothing. I tried on Chrome, Firefox and Edge on domain and workgroup computers. 

Exchange 2019 CU14 no March SU. 

@ceantuco please try to use CTRL + P as a workaround.

@JasonMcBride1974 @Tonaco69 @svetozarpetrovic The workaround for the printing issue (if it reproduces for you) is pressing CTRL+P instead of using a button. Give it a try.

@svetozarpetrovic - please use Option 1 or Option 2 from here to check the version. Option 3 will not show the SU version: Exchange Server build numbers and release dates | Microsoft Learn