Re: [EXTERNAL] [SECURITY] MS Deprecation Basic Authentication

["Theodore J. August" <theodore.august () SALVE EDU>]

We found that many of the credential stuffing attacks against Azure AD use automated tools that authenticate 
POP/IMAP/SMTP to verify if credentials may or may not be valid.  Our official policy is we “fully support” all Outlook 
clients and Outlook on the Web for checking e-mail.  The built-in apps mail/contacts/calendar accounts are “best 
effort” supported on macOS, iOS/iPad OS, Windows 10, and Android (Gmail and Samsung make modern auth clients).  I 
believe these all now use an updated version of ActiveSync that supports modern authentiation and MFA.  All other apps 
are not allowed – no exceptions.  This includes many of these third party apps that request Azure permissions to sync 
data out of mailboxes using the API’s.

There really wasn’t too much push-back on this policy.  Some folks with older macOS and iOS devices that didn’t support 
modern auth were a little upset – we either updated them if they were a managed asset or told them what the supported 
versions were if it was a personal device.  We had buy-in from stakeholders upstream on the policy so there were never 
any protests that gained traction.

Hope this helps.  I can provide more details off-list if neccesary. 😊

Best,

—
Ted August
Assistant Director of Cybersecurity and Compliance
Office of Information Technology
Salve Regina University



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Barton, Robert W. 
<bartonrt () LEWISU EDU>
Date: Thursday, August 26, 2021 at 11:07 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [EXTERNAL] [SECURITY] MS Deprecation Basic Authentication
Morning,

Q2 of this year, Microsoft was scheduled to deprecate basic authentication in M365.  It has been postponed for now.  
But this just gives tenants more time to address the apps/people using older protocols.  For those using Apple 
products, it seems that IMAP, SMTP, and POP are common, and the products have no updates/upgrades to be found to 
address this coming issue.  If you had these products in the mix, what did you move to?  Did you force people to move 
to OUTLOOK.COM?  Some people are reticent to move to a MS product, so I figured others may have already had this dance 
with staff and faculty, and maybe had an answer.

Yes, IT was more distributed previously, and this is a pain point of centralizing.

Robert W. Barton
Executive Director of Information Security & Policy
Lewis University
1 University Parkway
Romeoville, IL  60446-2200
815-836-5663

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctheodore.august%40SALVE.EDU%7C4216149eb3f443524be408d968a326eb%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C0%7C637655872224832241%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=E3YE3JdNKrg3lHmoUzsw2I5fS72zK71fMY04WqBeU%2BE%3D&reserved=0>

*** This message was not sent from a Salve Regina University e-mail address. Please exercise caution when responding, 
clicking on links or opening attachments. ***

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community