August 20, 2022

It's Time To Move To Modern Authentication!

It's Time To Move To Modern Authentication!

In about 42 days, Microsoft will disable the ability to use basic authentication for Outlook, Exchange Web Services, POP, IMAP, Remote PS & EAS protocols for Exchange Online. This means you have to change your apps & scripts to use OAuth (modern authentication). It will also impact mobile devices where users are using legacy authentication (EWS) is used for mail sync. If you have configured the native mail client on your managed Apple devices to use basic authentication, continue reading further to move to modern auth using Intune easily. 

What is Basic Authentication & Why is Microsoft disabling it?

Basic authentication means the application sends user names and passwords over the Internet as text that is Base64 encoded, and the target server is not authenticated. In most cases, these credentials are also stored locally on the device/servers/systems. It increases the risk of compromised accounts as MFA is hard to be forced when basic authentication is enabled.  


As you might know, Apple has supported OAuth on clients in iOS/iPad OS & macOS devices for many years, so if you are configuring a “new” Exchange Online account in the native mail client app on these devices, then it should use the modern auth. However, it is important to note that the Exchange Online account will use modern auth only if it was added to the device after OAuth support was added to the mail app. For iOS/iPad OS, Apple confirmed to include it as a part of the iOS 15.6 upgrade, which means if your devices are on a lower version than iOS 15.6, you will have to use the MDM solution to push this configuration for a native mail client. 

Catch-22: On a device with old iOS, ff modern auth is not configured or pushed from MDM: When you restore a backup from an old device to a new one or use the built-in migration process to move your data and settings to a new one, your mail settings might still be configured to use Basic auth.


Please note: If you are blocking basic authentication using Azure AD Conditional Access, then you don’t need to worry because the clients on your devices using EAS connections will use modern authentication.

However, if you currently allow your users to use basic authentication for EAS, then it’s time you should start using modern authentication!

The easiest way to find these details for users still using basic auth is to look into your Azure AD sign-in logs and filter it for Client-Apps -> Exchange ActiveSync, and here you will get details of devices on which basic auth is being used. 

Microsoft & Apple helps you to do a smooth transition to OAuth for thousands of users in your organization by simply using the Azure AD service principal (enterprise app) called “iOS accounts.” With the help of Graph APIs, Apple uses this service principal to retrieve account information and access user mailboxes with EAS. As the device is managed and already has the user’s credentials, this ROPC workflow allows the application to sign in by directly handling their password, giving you an added advantage.

Please ensure that you grant consent to allow the app to use the three Graph permissions it needs on behalf of the organization else, users will have to consent while they configure the native mail client.

MDM as an Exception

If you are using Intune or any other MDM solution to configure the native mail client on your iOS/iPad OS or macOS devices, then this enterprise app will NOT update the mail app profile on your managed devices.

A. Update existing email profiles to use OAuth:

Follow the steps below to update the existing email profile for your iOS and iPadOS devices to switch to modern authentication.

1. Sign in to the Microsoft Endpoint Manager admin center.

2. Select Devices > iOS/iPad OS Devcies > Configuration profiles

3. Search for the email profile that you have configured & pushed to the devices.

4. Scroll down to Configuration Settings and click Edit

5. Toggle for OAuth to “Enable” to force the connection to switch to Modern Authentication.

6. Click “Review & Save” and then Save on the next page to save the configurations.

The following steps show you the sequence of changes on the user’s end – 

–  As soon as the iOS device sync with Intune and gets the new policy, the user will get a pop-up message on the device screen to Enter the password for
 Exchange Account.

– Click Edit Settingswhich will automatically take you to the iPad Settings, then into the configured email account. Where it will open the web-based modern authentication login. Enter your password and press Sign in.

–   It will then automatically verify everything and step through a couple of screens before completing it.

B. Create an email device profile for iOS/iPadOS:

Follow the steps below to automatically configure email device profiles on your end user’s device and let them access company email on their devices without any required setup on their part. You can also use these pre-configured email profiles to evaluate device compliance and Conditional Access (CA) to block any non-compliant devices from accessing corporate email.

P.S: You have forced “Require” for “Unable to set up email on the device” in the Compliance policy if you want to use it with Conditional Access.

1. Sign in to the Microsoft Endpoint Manager admin center.

2. Select and go to Devices > iOS/iPad OS Devcies > Configuration profiles > Create profile

3. Select Email as Profile from the Templates menu.

4.  In Basics, enter the Name Description for the profile and click Next.

5. In the Configuration settings page, enter the required configurations and click Create:

6. On the next page, Assign the policy to the required groups.

Awesome…Job done and your iOS devices are now using modern authentication for exchange mail services.