Modern Auth: Information for Application Owners

Body

Changes to Microsoft Exchange Services Authentication

Microsoft has announced that they will be disabling Basic (legacy) Authentication methods effective October 1, 2022. Microsoft will remove the ability to use Basic authentication (username and password) in Exchange Online for the following services: Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Outlook for Windows, and Mac. This means that any applications that are currently configured to use Basic Authentication protocols will need to be updated to support OAuth 2.0 before August 1st.

Why is this changing?

While Basic Authentication is simple, it is more vulnerable attacks and compromised credentials. Microsoft is removing Basic Authentication to strengthen the security of their services.

Who/what will be affected?

Any Dartmouth application/service that currently uses Basic Authentication to send mail.

What do I need to do?

Please review vendor documentation for any application currently using Basic Auth and contact the vendor to learn whether your application supports OAuth 2.0. If your application supports OAuth, the following will be required:

  • An existing service account with a mailbox
  • Application ID
  • Tenant ID
  • Client Secret

Once you have confirmed that your application can be configured to use OAuth, please submit a service request with Infrastructure Services. Please include the name of your application and any relevant documentation from the vendor. Infrastructure will review the request and provide you with the required credentials to update your application if appropriate. This work must be completed by August 1, 2022 in order for email to continue working in your application.

If your application does not currently support OAuth, there are two alternatives. If your app uses SMTP authentication with the endpoint of smtp.office365.com, nothing needs to be changed. SMTP authentication will continue to work after Microsoft disables Basic Auth. Please note that this is only a temporary option and any application using the SMTP authenticaiton must switch to OAuth as soon as possible, since Microsoft will eventually disable SMTP authentication as well. The second option is to use the on-premises Exchange SMTP relay for IP-authenticated mail. Non-user based authenticated email relay through the Dartmouth email system is strongly discouraged due to the security risks to the institution. It is recognized that some devices and services do not allow for user accounts to be added to the functionality. To obtain an exception to this policy, a security review of the  proposed configuration must be obtained prior to implementation. The owner of the device or services must demonstrate full compliance with the guidelines documented in the Dartmouth Information Security Committee charter (DISC).

If you are unsure whether your application is capable of using Modern Auth or have questions about changing your application's configurations, please submit a service request. More information on these changes can be found here: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online

For custom applications, developers may also find the following documentation helpful: https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth

Details

Details

Article ID: 141363
Created
Fri 2/11/22 4:10 PM
Modified
Tue 4/12/22 10:45 AM