If everything goes to plan, the millions of Apple devices which connect to Exchange Online today via ActiveSync using basic authentication today will switch over to begin using modern authentication seamlessly (without disturbing users). Although Microsoft’s documentation warns against using ROPC, this scenario is a good example of where the use of a seldom-deployed and warned-against mechanism is justified. It’s a terrific way to upgrade large quantities of clients without forcing users to recreate their mail profiles and resynchronize their mailbox. This happens silently, without user knowledge, and with no manual intervention required. If permitted, the ROPC flow signs in as the user to acquire the OAuth tokens. This is an OAuth 2.0 grant which takes advantage of the fact that the iOS clients have cached user credentials (username and password) to request OAuth credentials (access and refresh tokens). When an upgrade wave kicks off, if a device detects that its mail app profile is set to use basic authentication, it invokes a processing flow called Resource Owner Password Credentials (ROPC). Update (July 11): Apple has disclosed that the profile update will happen in an iOS 15.6 update. Microsoft’s post says that an upcoming Apple iOS update will include the necessary code to invoke the ROPC workflow and make the switchover for iOS and iPadOS devices. Microsoft and Apple have cooperated to make the iOS mail app request a profile upgrade. If you don’t see a notification in the Microsoft 365 message center, it means that Microsoft’s telemetry can’t detect the presence of any Apple devices in your tenant. Message center posts will appear over the next few days to inform tenant administrators what they should do. As you might expect, Apple devices are popular with the Microsoft 365 user base, and there could be tens of millions of devices that need to update their mail app profile. Today, Microsoft shared its plans to help Microsoft 365 tenants upgrade iOS and macOS devices with mail app profiles still configured for basic authentication. If you’ve got some PowerShell scripts that send emails, it’s time to upgrade them to use the Microsoft Graph API or the Microsoft Graph PowerShell SDK. The SMTP AUTH protocol remains an exception to allow customers more time to upgrade devices and code which use the protocol to send email via Exchange Online. In other tenants, where some protocols (like ActiveSync are actively using basic authentication), they are busily disabling unused protocols, like POP3 and IMAP4. In line with their plan to remove basic authentication for all tenants on 1 October 2022, Microsoft has already disabled basic authentication in many Microsoft 365 tenants. Microsoft very badly wants to remove basic authentication for Exchange connection protocols. In fact, because Apple makes it so easy to transfer data and settings from an old to a new device, they have faithfully transferred many old mail profiles to spanking new iPhone 11, 12, and 13 devices over the last few years. Instead, it’s because the user profiles for the Mail app are old and specify basic authentication. This isn’t because the Apple client doesn’t know how to support OAuth authentication flows (the necessary code is available from iOS 12 on). Last year I wrote about the need to upgrade the Apple iOS Mail app on some devices to deal with Microsoft’s phasing out of basic authentication. Upgrade Mail App Profiles for Modern Authentication
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |