Exchange Online Users Getting Client Authentication and ActiveSync Improvements

Microsoft this week announced a couple of changes coming to organizations that use its Exchange Online e-mail service.

One of the changes will add "modern authentication" to a couple of client applications. The other change affects users of the Exchange ActiveSync service and how Microsoft's Azure Active Directory Conditional Access service works with it.

Modern Authentication Client Updates
First, Microsoft is planning to add "modern authentication" capabilities to Outlook clients on Windows systems, as well as Skype for Business clients, for Office 365 tenancies. However, those changes will only take place if an organization has been an Office 365 tenant since Aug. 1, 2017.

Moreover, the changes also only will affect so-called "managed tenants." It won't affect organizations using a federation service, such as the Active Directory Federation Services (ADFS) capability of Windows Server.

Here's how Microsoft described that distinction, which characterized the "managed" versus "federated" concept, and which organizations will be affected by the coming modern authentication client changes:

If you use Password Hash Sync, Pass-Through Authentication, or you create, manage and authenticate your user identities directly in the cloud, your tenant is considered a 'managed tenant' -- and this change affects you.

If your [sic] still create, manage and authenticate your identities in your on-premises Active Directory, and you use ADFS or some other 3rd party iDP to authenticate your users -- your tenant will not be affected by this change.

When affected organizations get switched over to the modern authentication approach, end users will see the newer sign-in prompt in the Outlook for Windows client or the Skype for Business client. It'll look like the following dialog box:

Modern authentication sign-in prompt. (Source: Microsoft Exchange blog)

It wasn't clear from the announcement when organizations would see the change. IT pros don't need to take any actions for the switch to occur, the announcement suggested.

Microsoft previously switched Office 365 tenants to modern authentication for the Outlook mobile and Outlook for Mac clients, as well as the Outlook on the Web browser-based solution.

Modern authentication is based on the use of the Active Directory Authentication Library and OAuth 2.0 tokens. It's a certificate-based identity and access approach that's deemed as being more secure than Microsoft's so-called "basic authentication" approach, which relied on Microsoft Online Sign-In Assistant technology. Modern authentication also makes it easier for organizations to use multifactor authentication, a secondary identify verification scheme.

The days of basic authentication appear to be numbered. Last year, Microsoft announced that it was planning to end support for basic authentication when used with Exchange Web Services on Oct. 13, 2020.

Exchange ActiveSync and Conditional Access
Microsoft's second announced item is that its Azure AD Conditional Access service will be offering better support for organizations that use the Exchange ActiveSync service. Exchange ActiveSync is an e-mail client synchronization service that's used to connect mobile devices with Exchange Server.

Apparently, some of the Conditional Access policies that weren't supported with Exchange ActiveSync will now get recognized. Microsoft wants IT pros to take action and remove any blocks that were set because of lack of support.

"So, if you have CA policies today that block EAS traffic because a condition is not supported, we advise you inspect and remove any of the unsupported conditions from policy," the announcement advised.

Microsoft's announcement didn't indicate which conditional policies are now supported by Exchange ActiveSync.

The improved support has already started to roll out to Office 365 tenancies.

"The EAS change has started rolling out and we've sent Message Center posts to all tenants we believe might see an impact based on their existing policies. So check Message Center," commented Greg Taylor of Microsoft in the comments section of the announcement.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube