back to article Admins beware! Microsoft gives heads-up for 'disruptive' changes to authentication in Office 365 email service

Microsoft has doled out more details on forthcoming changes to the way mail clients authenticate to Exchange Online, the email service used by Office 365. In March 2018, Microsoft said that it would require Modern Authentication for Office 365 services including Exchange Online, and that this would be enforced from 13 October …

  1. Andytug


    "we strongly suggest you switch to Outlook" on mobile, the native mail apps won't work.

    That'll be popular...….

    1. IGotOut Silver badge

      Re: Hmmmm....

      In my experience, most native email apps are pretty terrible anyway.

      1. Anonymous Coward
        Anonymous Coward

        Re: Hmmmm....

        "In my experience, most native email apps are pretty terrible anyway."

        But when your choice is pretty terrible or Outlook terrible, what do you choose?

        1. J. Cook Silver badge

          Re: Hmmmm....

          That's like asking if you'd rather be shot in the leg with a 9mm or a .45- I'd rather not be shot at all, but that's not an option.

          (having used a multitude of mobile device apps, they ALL suck in some form or other.)

        2. DCdave
          Big Brother

          Re: Hmmmm....

          Fortunately at least on Android, the choice is not limited to pretty terrible stock email or Outlook terrible. TypeApp, for example, supports OAuth and multiple email accounts, is highly customisable advert-free and free of charge. I'd pick it over the Outlook client any time.

          1. G Olson

            Re: Hmmmm....

            "the use of TypeApp services and software will be governed by the law of the State of New York, NY, USA ".

            NO, not happening

        3. The Man Who Fell To Earth Silver badge

          Re: Hmmmm....

          Especially on a phone, where the Outlook app is just plain an embarrassment.

          1. This post has been deleted by a moderator

      2. gigabitethernet

        Re: Hmmmm....

        I would rather use the native Android Gmail client and calendar simply because its more resource efficient than the Outlook one.

        1. MachDiamond Silver badge

          Re: Hmmmm....

          "I would rather use the native Android Gmail client and calendar simply because its more resource efficient than the Outlook one."

          You've circled back around to the comment about being shot with a 9mm or .45. Do I use an email system that is known spyware or one that's so messed up that it may broadcast your private to everybody?

      3. Patrician

        Re: Hmmmm....

        Not great but still better than Outlook

    2. Anonymous Coward
      Anonymous Coward

      Re: Hmmmm....

      Especially as outlook calendar doesn't integrate with the android calendar at all and therefore you can't use any calendar apps, extensions, etc to read that calender other than directly through the outlook API.

      1. CrazyOldCatMan Silver badge

        Re: Hmmmm....

        Especially as outlook calendar doesn't integrate with the android calendar

        I use the app "Nine" for Activesync access specifically because it does integrate calendars properly..

        1. Anonymous Coward
          Anonymous Coward

          Re: Hmmmm....


          For me it’s Nein. Wouldn’t trust random app developers with my data and password details.

          1. Spanners Silver badge

            Re: Hmmmm....

            "Wouldn’t trust random app developers..."

            And you trust Microsoft?

      2. TonyJ Silver badge

        Re: Hmmmm....

        You can integrate the Outlook calendar with the Samsung one if you're on O365 by creating an app password and using that.

        If you try to use your normal password, it fails (though I suspect this may also be partly due to the account using MFA).

        Hardly a seamless experience to set up.

    3. Nate Amsden Silver badge

      Re: Hmmmm....

      one bonus(depending on your point of view) to using the outlook app over native, is likely the phone can not be remote wiped by the admins. I didn't have a fear of admins at my org doing that to me but it was more of a fear of a software bug or something tripping that could cause it.

      I used office365 mail/calendar on Android native(4.4) up until about July of last year. Newer phone newer Android and using Outlook app since. It's not as nice not being able to use the native calendar app to view things(extra clicks to get to the calendar), but the trade off of having a much lower privileged app vs all the insane permissions the built in stuff got I guess is worth the trade off for me personally. I mean it's one of the least annoying things about using the newer Android system.

      1. Charlie Clark Silver badge

        Re: Hmmmm....

        I've switched to FairMail for Android: getting active development and for people who use e-mail a lot. Outlook has always sucked as an e-mail client but the strength has always been in the calendar and address book, which "just work" for most people.

        1. G Olson

          Re: Hmmmm....

          "FairEmail does not support non-standard protocols, like Microsoft Exchange Web Services and Microsoft ActiveSync."

          1. Charlie Clark Silver badge

            Re: Hmmmm....

            Which is why I always use IMAP… better than ActiveSync anyway. JMAP also loooks nice.

      2. John Miles

        Re: is likely the phone can not be remote wiped by the admins

        Unless the company insists on the InTune Company Portal App

      3. Morat

        Your company doesn't insist on remote wipe ability on your phone? How do they ensure that corporate data isn't lost if your phone is lost/stolen?

    4. AJ MacLeod

      Re: Hmmmm....

      Can you print from the Outlook app yet?

      1. AJ MacLeod

        Re: Hmmmm....

        OK, a bit of research says no, you still can't print from it. MS have been writing shoddy software for longer than I can remember, but that's a pretty impressive fail...

        1. Spanners Silver badge

          Re: Hmmmm....

          It may be a fail but not too catastrophic. The whole idea of email is to not print.

          Stuff is sent to you to look at, comment on etc. If there is anything to print, it is an attachment. Why are you trying to print it off?

          1. Androgynous Cow Herd

            Re: Hmmmm....

            Way to turn a feature gap into a feature...

            are you in marketing?

          2. Charlie Clark Silver badge

            Re: Hmmmm....

            The whole idea of email is to not print.

            I don't think that was ever part of the RFC. Certainly the aim was to be able to contact people without sending letters but printing has always been possible and countless law cases can attest to the importance of being able to do this.

    5. Anonymous Coward
      Anonymous Coward

      Re: Hmmmm....

      Our $BIGCORP is migrating to OAuth2 now but has decided not to also allow app passwords even though it's the same thing (per app authorisation which can be rescinded).

      As IMAP OAuth2 clients which work with Office 365 are few and far between, they're herding everyone to a) the Outlook app or b) a cloudy email app which slurps company email. Very clever.

    6. Anonymous Coward
      Anonymous Coward

      Re: Hmmmm....

      This rather sounds as though they'll be locking out Thunderbird users as well, which will not go down at all well at my workplace. The Outlook webmail is flatso ugly and (like most webmail) a bit shit compared to a real email program <sigh>.

      1. Anonymous Coward
        Anonymous Coward

        Re: Hmmmm....

        Evolution will do OAuth2 on Office 365, the code could be ported if it weren't for Evolution using EWS and Thunderbird using IMAP.

  2. Anonymous Coward
    Anonymous Coward

    But will it actually work for 365 days a year ?

    It seems to have more holidays than a school teacher.

    1. A Non e-mouse Silver badge

      All services, public cloud or on-prem will have issues. Anyone saying a service will have 100% availability is lying.

      My work email has been in Office 365 for several years with no issues that I can remember.

      1. Robert Grant Silver badge

        So....maybe it should be Office 364, to have 3 9s uptime?

        1. Inventor of the Marmite Laser


          The Beast, upside down

          1. Wayland

            Monster ווו

        2. parperback parper

          365 could be accurate

          as this year has 366 days.

          1. Robert Grant Silver badge

            Re: 365 could be accurate

            I'm jealous that I didn't spot that. Have a well-deserved upvote.

      2. DougMac

        There definitely have been outages I've noticed on my work email.

        They must have just lined up with your usage not requiring access at that particular time. Too bad that wasn't the case for me.

      3. Nate Amsden Silver badge

        People keep saying this but fail to disclose the blast radius of such issues. An org that has a downed exchange system affects only that org. Doesn't affect dozens, hundreds or in some cases thousands of orgs.

        MS has had a large number of outages in their services over recent years.

        One thing that pissed me off most about office 365 recently is a bug in Outlook web access. If I sent plain text emails (which I did until I gave up on getting the bug fixed) the OWA client would merge all the lines together making things unreadable in many cases. It looked fine from the "Sent" folder, but received emails were jumbled up. Super easy to reproduce. IT team informed MS, and we waited for a fix. Meanwhile I was fine to stay on the "legacy" UI which had no such problem. (and yes the majority of my email is done from linux on OWA, I do run Outlook 2010 on a windows VM which is hooked up as well but that gets a minority of use, mainly for better searching, and yes I know 2010 will break later this year).

        Fast forward a few months and they turn off the "legacy" UI, and the bug still isn't fixed. So I have to switch to html email.

        Similar issues with "cloud" Confluence from Atlassian, they are dramatically changing their UI breaking TONS of things and there is no recourse. It's quite sad the state of software these days and it's getting worse.

        Having on prem, or at least self managed, would allow you to wait until you are ready to upgrade.

        1. jgard

          God this is so juvenile and tiring. Instead of praising MS for taking a sensible and responsible decision on oauth, we get the usual shit Microsoft grumbles. Don't use MS if you don't like em, or don't work for a company that does.

          I have been in this game a long time and am still surprised at the MS bashing on here and other channels. The conclusion I draw is that many commentards do this because they don't have the knowledge and experience to offer much in the way of informed opinion. It's an easy way to grab some tech kudos and pretend to yourself and others that you know more than you do. For those people I'll advise you on the facts: MS are a giant corporation, like Google (who are decidedly less ethical than MS even), Facebook (worse still, and in extremis) , Apple, Twitter et Al. The company has one purpose: generating cash. They all do.

          I use Mint as a desktop and I love it, definitely better than Windows. But frig me, there are some annoying limitations and bugs in newly released versions. Strangely, people don't seem to mention them and class the entire Linux ecosystem as shite because Bluetooth is playing up on cinnamon desktop.

          MS aren't uniquely bad, and you aren't on the smart side of the argument just because you slag them off. They have done enormous good and a lot of damage. And they have acted as shameless bullies and profiteers. You will NEVER find a big company that hasn't.

          Yeah, Exchange Online might not have 100% uptime, but that is not why corporate customers use it. They use it because it meets their requirements on uptime, cost and supportability. Why is it that everyone on here expects perfection from Microsoft, but doesn't want to pay for it? I work for a cloud provider that provides much better uptime figures and better SLAs in other areas than MS / O365 / Azure. Trouble is, it costs a small fortune to provide that service, and few companies are willing to pay.

          You (if you have a personal account) or your employer / customer sign up to those terms willingly, you know what the risks and benefits are. If service doesn't match your requirements, claim your service credits, then move your business elsewhere, move jobs if it's so unbearable.

          In Azure / O365 you are leveraging economies of scale and division of labour to achieve low cost. You might not be getting vintage claret, but you're not paying for it either. You're not even asking for it! You're getting something lower end, but that's all you've bought. Change the bottle, pay a bit more, but if you can't afford top end plonk, you'll be on the Lambrini.

          1. don't you hate it when you lose your account

            Totally agree

            This reminds me of the one truly good thing Mr jobs did, ban Flash. Truth is the Internet and it's protacols were never ment for where we sit today. A lot more pain than this is required to fix what we currently have.

          2. TonyJ Silver badge

            All reasonable comments.

            Also there is a fair bit of moaning about aspects of MS products that were true 10, 15 or 20 years ago but were fixed an awful long time ago as well.

            It does seem - and I've said it before here - that some of the the very vocal proponents for freedom of choice are fine with the concept providing that choice aligns with their own.

          3. Wayland

            Oh yes people do blame the whole of Linux when something fairly obscure does not work for them on one distro. The difference with Microsoft is their screwups have a bigger effect. Microsoft also use their position to dictate to the market. This can be a good things such as in security but bad if it's used to force business to use them not through choice.

          4. The First Dave

            I don't here anyone blaming MS for insisting on OAuth

            I DO here people blaming them for not having the supporting tools ready. With good reason.

            1. Anonymous Coward
              Anonymous Coward

              Like spell checking.

              Will anyone give me a hear hear?

          5. Morat

            On prem or hosted, Zimbra is cheaper, fully featured and super simple to admin. M$ are expensive AND shit.

  3. Anonymous Coward Silver badge

    Isn't cloud lovely

    Now you get the opportunity to have all of your users pissed at you and there is literally nothing you can do about it other than say "yeah, microsoft made us do it".

    Techs might understand, but the masses will just blame us for not giving them a way around it.

    1. LewisRage

      Re: Isn't cloud lovely

      > there is literally nothing you can do about it

      I'm imagining you'd be the kind of person who'd go all "Hurr Durr typical M$ Microshaft" if it became apparent that their ongoing support of basic authentication was being exploited in some way.

    2. Anonymous Coward
      Anonymous Coward

      Re: Isn't cloud lovely

      Lets look at the alternative - on-premise systems.

      You install you on-premise Exchange system. In 7 years time (or less depending when you installed it) it reaches end of life and you should replace it. You don't, because you are in control.

      Two to three years later, you have a number of security issues, you end up using a third-party to provide additional security that stops working with your end-of-life environment and suddenly you have OS/Application/Client upgrades in one massive, expensive hit. All to do the things you refused to do in a timely fashion when you had choice. Add in a few security scares that necessitate significant effort to address (i.e. downtime for patching or new systems to provide missing functionality) and the end-user experience can quickly turn sour.

      Cloud is the other extreme - change happens very quickly and is often difficult to keep up with if you have a significant amount of integration between business systems. But I believe the cloud approach is more manageable for most businesses over a medium to long time period. And users see a system that mostly works 24/7 rather than one that always works 8x5 until it doesn't.

      1. Morat

        Re: Isn't cloud lovely

        Yeah, well the only two reason I can think of to stay on an old version of an application are:

        1. It's expensive to change between versions

        2. It's technically demanding to change between versions

        Neither of these things have to be true for a mail/collab server, although they are certainly true for most versions of Exchange on Prem.

  4. AMBxx Silver badge

    Dum question

    Does anybody use POP anymore? Most people have multiple devices and POP either deletes from the server when retrieved or you end up deleting the same email on every device. Has POP changed since I last used it (>10 years ago).

    1. DougMac

      Re: Dum question

      Yes. Older Outlook clients have a crappy IMAP implementation, most people used POP email with them to stay sane. Many others just chose it as default.

      That method of deleting email is only the _default_ for POP (vs. IMAP where the default is not to delete). You can have your POP email client do a variety of options for download & delete, or delete on a schedule, etc. etc depending on options you tick.

    2. Snake Silver badge

      Re: Dum question

      I use POP on a one (singular) of my devices, all others are IMAP. This allows me access to messages until I am ready to, quite intentionally, remove them from the server, download them, and then archive them using my own methods. Keeping email on IMAP servers, mistaking that for "storage", is a grave mistake and a potential privacy failure if/when your login is hacked.

      Speaking of which, I guess it's about time for me to archive again...

    3. SabreMogDawg

      Re: Dum question

      Nah, POP hasn't changed at all from then. Still bad and should not be used.

    4. Pascal Monett Silver badge

      I do. All the time.

      I am not leaving my mail on somebody else's server. My mail is mine, and goes to my local storage.

      I love POP. I'll never stop using it.

      But then, I'm the kind who keeps mainly to himself and doesn't spaff his private life all over the web for all to see without a thought.

      1. Tamz

        Re: I do. All the time.

        I may have to look into that .... then again I fully 100% trust my hosting company. And after watching the email literally delete from my inbox before my eyes on Outlook (despite my yelling "YOU $)%(#) NOOOOOO!" loudly and repeatedly while it happened) my hosting provider was able to re-create my email box through midnight the night before. So IMAP does have it's advantages! LOL

    5. Anonymous Coward
      Anonymous Coward

      Re: Dum question

      I've got an old domain that has a couple of basic POP accounts on it (stupidly set them up for me and the parents >10 years ago) and still use POP to download all the mail into gmail, thus clearing it off the - very limited - accounts on the cheapo server and making them available to gmail in our android devices. It's not pretty but it works; gmail also has the option to send-as those accounts so it looks seamless to recipients.

    6. Wayland

      Re: Dum question

      Pop has it's place. If you don't trust your provider to keep your emails then pop lets you keep them on your computer by default. With IMAP even though they are on your computer if they are removed from the server they will be removed from your computer at the next login.

    7. AMBxx Silver badge

      Re: Dum question

      You're a harsh crowd today - I only asked a question, not making any comment on the current strengths or weaknesses of POP.

  5. JohnFen

    I hope that I don't have to use Outlook

    I'm forced to use O365 at work, but I mitigate some of the most annoying aspects of that by using a third-party email client rather than outlook. I sure hope that I don't have to start using Outlook. :(

  6. alanjmcf

    “[…] Microsoft has an updated Azure AD sign-in report – provided that you have a premium version of Azure AD.”

    But as the blog says: “we’re rolling out a change very soon to make it available to all customers, providing them with a 7-day rolling report of client login activity.”

  7. Inventor of the Marmite Laser

    Orifice 365. This is a leap year. Will it have a day off?

    1. don't you hate it when you lose your account

      Or will

      They use it as an opportunity to marry apple again.

    2. This post has been deleted by a moderator

  8. This post has been deleted by its author

  9. Steve McIntyre

    Started looking at developing support for this in offlineimap, but...

    OAuth2 is an utter PITA to support. Every imlementation looks different.

  10. Anonymous Coward
    Anonymous Coward


    Whatever possessed Microsith to think that describing O364 galley-slaves as "tenants" was in any way a good thing? It makes me think of precarious housing tenants living in ramshackle slums "managed" (or usually not) by evil rogue uncaring landlords, where things never get repaired if they go wrong, and they'll chuck you out on the street at a moment's notice if they feel like it.

    Hmm, actually that's probably a more accurate description than they ever intended...

    1. JohnFen

      Re: "tenants"

      "Tenants" is actually the industry-standard term for customers of such services. Microsoft didn't invent it.

  11. ThinkingMonkey

    Outlook? For email?

    So you learn something new every day. I thought Microsoft stopped development of Outlook in 1989 or so ;)

    1. This post has been deleted by a moderator

  12. anthonyhegedus Silver badge

    What about Office 365 Premium?

    What about people using Office 365 Premium? The article says Office 365 ProPlus. Does that mean that the product that lots of people have bought that works with Outlook will no longer work? What will be the point of office 365 premium? It's a product that comes with Office and email and Sharepoint.

    1. TRT Silver badge

      Re: What about Office 365 Premium?

      I have a ProPlus subscription. I really need it so I can stay awake to put in all the extra hours on the help desk this will cause. ;-)

    2. This post has been deleted by a moderator

  13. Anonymous Coward
    Anonymous Coward

    My beloved employers at the Open University graciously allow web access to Outlook, but have turned off the ability to search emails because "it's a security risk". Infosec people are weird.

  14. burnard

    Zero impact change

    Nuff said

  15. Mike Shepherd

    Disruptive changes

    Disruption - just what customers love.

  16. Anonymous Coward
    Anonymous Coward

    Not popular

    As somebody who switched from Windows to Apple several years ago, and is very happy with the way everything works together within the Apple orchard, it will be a right pain if Apple's native Mail app(s) can't cope. I've several email accounts that use 365 (one is for a charity and another an FE college) - around a dozen different accounts all (currently) play nicely together in the native iOS/MacOS Mail app. I have Outlook available but I find the simplicity of Apple's offering far better.

    I initially bemoaned the fact, when leaving Outlook behind, that Apple's Mail, Calendar and Reminders apps were separate but, several years down the line, I've actually found keeping them separate works better for me. Mind you, it's helped a lot by the way iOS/MacOS keeps everything in order, in a way that Windows never seemed able to.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not popular

      Update: I've checked and Apple Mail (in iOS, iPadOS and MacOS) works fine with the new requirements. Haven't checked all versions but, for iOS, the authentication system was implemented in v11. If an account has been set up as SMTP or POP, it probably means deleting the account in Mail and re-adding it as an Exchange one - a task of a few minutes (assuming you can remember the password).

  17. LeahroyNake

    Help me understand

    This is an honest question, please don't take the piss as I am sure other people here would like an explanation as well.

    Firstly Basic Authentication. I take this to mean username and password sent to a server from a device. The username and password are stored on the device / email client or maybe a copier. It's a simple case of entering these details once and the device will remember them. This does not mean that the details are sent in plain text but encrypted during transit if using the correct protocols, TLS or Starttls etc.

    How does modern auth improve on this? How is the device initially configured if not with a username / password?

    1. simpfeld

      Re: Help me understand

      Yes, I'd like to know what is so wrong with Basic over TLS (IMAPS on a dedicated port). I guess starttls has had issues with "Man in the Middle" with not passing the starttls to the real server, so being able to intercept. But I don't see any difference between IMAPS vs an HTTPS based authenticator. A genuine question from me too!

    2. This post has been deleted by a moderator

  18. Adam JC

    It's all good news except...

    Those with archaic (In fact, some recent not-so-archaic) photocopiers that don't support SSL/TLS for outbound SMTP when scanning-to-email are the scourge of the earth, but unfortunately they're also extremely common. I've lost count of the number of times we've had to set up an SMTP-relay for these cretinous things! :-(

    1. LeahroyNake

      Re: It's all good news except...

      I agree with you but as I mainly deal with Ricoh I can confirm that the vast majority of their machines support SSL encryption for SMTP connections.

      Enabling SSL for SMTP Connections


      Use the following procedure to enable SSL encryption for SMTP connections.

      1Log in as the network administrator from the control panel.

      2Press [System Settings].

      3Press [File Transfer].

      4Press [SMTP Server].

      Operation panel screen illustration

      5In "Use Secure Connection (SSL)", press [On].

      If you are not using SSL for SMTP connections, press [Off].

      When "Use Secure Connection (SSL)" is set to [On], the port number changes to 465.

      6Press [OK].

      7Log out.

      If the option is not shown ask a Ricoh tech to update the firmware / takes around half hour. Unfortunately / officially only Ricoh certified techs can get access to the FW files as it is quite easy to damage the machine and can be expensive to rectify if it is not done properly. The most common machine that is still in the field that does not support it from new is the MP C305 but it can be updated. All machines from around 4 years ago should be fine.

  19. AndyD 8-)&#8377;

    IMAP server storage

    well I travel around a bit and use several devices. Having had a couple of NAS's fail on me I see imap gmail (free!) as very convenient storage (I archive every year or so - time passes quicker with age).

    Google have already decided what I'm going to think next week so security is not a problem <g>.

  20. Povl H. Pedersen

    To get customers

    This is to get customers for AzureAD.

    The great secret here is, that App password completely bypasses any OAuth2 requirement, MFA etc.

    Whatever filtering you create, app password just bypasses it - At least until team Evil gets users to create one for them :-)

    Even better than getting user consent in 3 clicks.

  21. Anonymous Coward
    Anonymous Coward

    One more reason to kick Microsoft to the curb

    This is as they say... the hump that broke the camel's back. Especially to find out two things in one day. (Just found out add-ins are not available to Microsoft 365 users set up with IMAP accounts. And now they are going to shit-can allowing us to easily log in to check our email.

    This after sitting here in horror watching my entire email box empty before my eyes about two weeks ago.

    And the fact I have to change the mailing address of my credit card to my mother's every year to renew my subscription because they don't "support APO, AP addresses" on their website. REALLY MICROSOFT?? It's a field in a freaking dropdown list? Gimme the password... I'll fix the code for you to include it in the field choices.

    Yeah. I'm done.

    Ever since becoming connected with Google... they suck. Period. If we wanted them to have all of our info and emails, projects for work, etc... we'd use gmail. We don't. So they are trying to force anyone with an IMAP account to use only gmail to get all of their services. Yeah. No. I'll build my own spreadsheet app... that's all I use them for anymore anyway.. or use MACs Numbers because it actually has better features.

    Sorry. End Rant. But if everyone were to fight back against the Microsoft/Google monopoly they are going for... they'd either have to change or go tits up as a company. I personally would be elated to see the latter.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022