Educause Security Discussion mailing list archives
Re: [EXTERNAL] [SECURITY] MS Deprecation Basic Authentication
From: "Theodore J. August" <theodore.august () SALVE EDU>
Date: Mon, 30 Aug 2021 17:15:19 +0000
We found that many of the credential stuffing attacks against Azure AD use automated tools that authenticate POP/IMAP/SMTP to verify if credentials may or may not be valid. Our official policy is we “fully support” all Outlook clients and Outlook on the Web for checking e-mail. The built-in apps mail/contacts/calendar accounts are “best effort” supported on macOS, iOS/iPad OS, Windows 10, and Android (Gmail and Samsung make modern auth clients). I believe these all now use an updated version of ActiveSync that supports modern authentiation and MFA. All other apps are not allowed – no exceptions. This includes many of these third party apps that request Azure permissions to sync data out of mailboxes using the API’s. There really wasn’t too much push-back on this policy. Some folks with older macOS and iOS devices that didn’t support modern auth were a little upset – we either updated them if they were a managed asset or told them what the supported versions were if it was a personal device. We had buy-in from stakeholders upstream on the policy so there were never any protests that gained traction. Hope this helps. I can provide more details off-list if neccesary. 😊 Best, — Ted August Assistant Director of Cybersecurity and Compliance Office of Information Technology Salve Regina University From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Barton, Robert W. <bartonrt () LEWISU EDU> Date: Thursday, August 26, 2021 at 11:07 AM To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [EXTERNAL] [SECURITY] MS Deprecation Basic Authentication Morning, Q2 of this year, Microsoft was scheduled to deprecate basic authentication in M365. It has been postponed for now. But this just gives tenants more time to address the apps/people using older protocols. For those using Apple products, it seems that IMAP, SMTP, and POP are common, and the products have no updates/upgrades to be found to address this coming issue. If you had these products in the mix, what did you move to? Did you force people to move to OUTLOOK.COM? Some people are reticent to move to a MS product, so I figured others may have already had this dance with staff and faculty, and maybe had an answer. Yes, IT was more distributed previously, and this is a pain point of centralizing. Robert W. Barton Executive Director of Information Security & Policy Lewis University 1 University Parkway Romeoville, IL 60446-2200 815-836-5663 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctheodore.august%40SALVE.EDU%7C4216149eb3f443524be408d968a326eb%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C0%7C637655872224832241%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=E3YE3JdNKrg3lHmoUzsw2I5fS72zK71fMY04WqBeU%2BE%3D&reserved=0> *** This message was not sent from a Salve Regina University e-mail address. Please exercise caution when responding, clicking on links or opening attachments. *** ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- MS Deprecation Basic Authentication Barton, Robert W. (Aug 26)
- Re: MS Deprecation Basic Authentication Shane Kroening (Aug 26)
- Re: MS Deprecation Basic Authentication Dmitry Vayntrub (Aug 26)
- Re: MS Deprecation Basic Authentication Rich Graves (Aug 26)
- Re: MS Deprecation Basic Authentication Barton, Robert W. (Aug 26)
- Re: MS Deprecation Basic Authentication Dmitry Vayntrub (Aug 26)
- Re: MS Deprecation Basic Authentication William Horka (Aug 26)
- Re: MS Deprecation Basic Authentication Cole, Kade (Aug 26)
- Re: MS Deprecation Basic Authentication Julian Y Koh (Aug 26)
- Re: MS Deprecation Basic Authentication Cole, Kade (Aug 26)
- Re: MS Deprecation Basic Authentication Curt Kappenman (Aug 26)
- Re: MS Deprecation Basic Authentication Menne, Michael S (Aug 26)
- Re: [EXTERNAL] [SECURITY] MS Deprecation Basic Authentication Theodore J. August (Aug 30)
- Re: MS Deprecation Basic Authentication Shane Kroening (Aug 26)