News

Exchange Tenancies Should Prep for iOS Device 'Modern Authentication' Shift

• By Kurt Mackie
• 06/17/2022

Microsoft and Apple are working together to eliminate Basic Authentication use with the Mail app for organizations using the Microsoft Exchange Online e-mail service, according to a Thursday Microsoft announcement.

Basic Authentication is the simple use of a user name and password to verify credentials. It's subject to things like "password spray" attacks, where commonly used passwords are tried across an organization to find an entry point for further attacks.

Microsoft has previously indicated its plans to drop Basic Authentication support with the Exchange Online e-mail service, which is slated to occur on Oct. 1, 2022.

Microsoft and Apple both support the OAuth 2.0 authorization protocol as a more secure approach (called "Modern Authentication" by Microsoft) than Basic Authentication. However, organizations using the Mail app on Apple devices with older Exchange Online accounts could still be using Basic Authentication.

OAuth support is just present if it was part of the Mail app when organizations started using the Exchange Online service, Microsoft explained:

Apple has supported OAuth in iOS and macOS clients for several years, so anyone setting up a new Exchange Online account in the Mail app on these devices should be configured to use Modern auth. The key here is "new." An Exchange Online account uses Modern auth only if it were added to the device after OAuth support was added to the Mail app.

Basic Authentication, once established with the Exchange Online service, can also persists after device upgrades and backup restores, Microsoft explained.

Coming iOS Update
Apple is planning to release an update to iOS devices that will initiate the OAuth authorization protocol for the Mail app, which will affect organizations using the Exchange Online service. This update will "remove the stored Basic auth credentials from the device, and then reconfigure the settings on the account to use OAuth," Microsoft indicated.

The delivery date for Apple's iOS update that will kick off this shift to OAuth wasn't specified. Microsoft explained that the switch will be enabled by Apple's use of a "Resource Owner Password Credential (ROPC) grant." It will permit "an application to sign in the user by directly handling their password," Microsoft added.

Apple is also planning a similar future update release for macOS devices that will accomplish this same OAuth shift for Mail clients, according to Microsoft. Details about that coming macOS update weren't described.

Appeal to IT Pros
Microsoft's announcement appealed to IT pros to check how permissions are set up for Mail apps accessing the Exchange Online service before Apple's iOS update arrives.

The shift to OAuth can be smooth experience for end users, but there won't be a "seamless switchover" if organizations have configured controls and policies that affect the ability for the Mail app to connect using OAuth." Those controls and policies include things like "Conditional Access rules and/or a requirement for multi-factor authentication," Microsoft explained.

IT pros can eliminate possible end user confusion by granting consent for the Mail app for the whole Exchange Online tenant, Microsoft suggested. It's planning to send a details on how IT pros can grant such consent in a future Message Center notice. This notice will be arriving "in the next few days."

Exceptions
Organizations that use a mobile device management solution won't be switched to OAuth via this coming iOS update. They'll have to follow their mobile device management software vendor's advice on how to make that change for iOS devices, Microsoft explained.

Also, organizations that already use certificate-based authentication "will be unaffected when Exchange Online turns off Basic auth in Exchange Online later this year," Microsoft indicated.