Changes to Microsoft Exchange Services Authentication
Microsoft has announced that they will be disabling Basic (legacy) Authentication methods effective October 1, 2022. Microsoft will remove the ability to use Basic authentication (username and password) in Exchange Online for the following services: Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Outlook for Windows, and Mac. This means that any applications that are currently configured to use Basic Authentication protocols will need to be updated to support OAuth 2.0 before August 1st.
Why is this changing?
While Basic Authentication is simple, it is more vulnerable attacks and compromised credentials. Microsoft is removing Basic Authentication to strengthen the security of their services.
Who/what will be affected?
Any Dartmouth application/service that currently uses Basic Authentication to send mail.
What do I need to do?
Please review vendor documentation for any application currently using Basic Auth and contact the vendor to learn whether your application supports OAuth 2.0. If your application supports OAuth, the following will be required:
- An existing service account with a mailbox
- Application ID
- Tenant ID
- Client Secret
Once you have confirmed that your application can be configured to use OAuth, please submit a service request with Infrastructure Services. Please include the name of your application and any relevant documentation from the vendor. Infrastructure will review the request and provide you with the required credentials to update your application if appropriate. This work must be completed by August 1, 2022 in order for email to continue working in your application.
If your application does not currently support OAuth, there are two alternatives. If your app uses SMTP authentication with the endpoint of smtp.office365.com, nothing needs to be changed. SMTP authentication will continue to work after Microsoft disables Basic Auth. Please note that this is only a temporary option and any application using the SMTP authenticaiton must switch to OAuth as soon as possible, since Microsoft will eventually disable SMTP authentication as well. The second option is to use the on-premises Exchange SMTP relay for IP-authenticated mail. Non-user based authenticated email relay through the Dartmouth email system is strongly discouraged due to the security risks to the institution. It is recognized that some devices and services do not allow for user accounts to be added to the functionality. To obtain an exception to this policy, a security review of the proposed configuration must be obtained prior to implementation. The owner of the device or services must demonstrate full compliance with the guidelines documented in the Dartmouth Information Security Committee charter (DISC).
If you are unsure whether your application is capable of using Modern Auth or have questions about changing your application's configurations, please submit a service request. More information on these changes can be found here: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online
For custom applications, developers may also find the following documentation helpful: https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth