One way attackers wiggle into Microsoft Exchange Online is through systems that have Basic Authentication enabled. Account compromise rates in tenants who have disabled legacy authentication are significantly lower than overall rates. Microsoft has announced it will turn off Basic Authentication for Exchange Web Services on October 13, 2020.
Last week Microsoft went one better and announced it will retire Basic Authentication for EWS, EAS, IMAP, POP and RPS to access Exchange Online on the same date. Any application using OAuth 2.0 to connect to these protocols will continue to work without change or interruption. I’ve already recommended that you disable Basic Authentication to beef up security in Office 365.
What should you do now if you have Office 365? Start by moving away from the native email applications on Android and Apple iPhones and moving people to the Outlook applications. If you are planning a move to Office 365 away from on-premises Exchange, you should move people over to the application now. The application supports additional protocols and email platforms, so if your users receive personal email as well as the firm email on their phones, you can migrate all email over to Outlook.
There are several ways to handle the migration. Smaller firms can send out communication to your clients and instruct them on how to find the application in the app store on the phones, download it, and then set up their email account on the new application. If Autodiscover is set up properly, all you need do is inform people to download the application, enter their email address and password, and the application will connect to the appropriate mail server.
Alternately, you can use Intune to assign the Outlook app to users. I recommend rolling out the Outlook app while letting people keep the native phone app so you can fine-tune adjustments in the Outlook app and get people used to the change.
Moving to Outlook using Intune
As noted in the blog post, you’ll want to go to the Azure Portal and log in as an administrator. Click on “Add” and select “iOS” and then browse for the Outlook app. Review the information provided automatically by clicking on “App information”.
Next click on “Assignments” and “Add group”. Select “Required” at “Assignment type” to enforce the app on mobile devices.
Select “Included Groups” and choose which group you want to target or use both switch to deploy to all users or all devices. Once you configure the included assignment, click on “Ok” at the bottom. If you want to set a policy that users can’t copy business information from the Outlook app to a personal app, you can set up a policy to limit this.
To create an app protection policy, open your browser and navigate to this page on the Azure portal. Click on “Add a policy” and type a policy name. Select the iOS platform and click on “Select required apps”. Check all apps and click “Select” at the bottom. Click on “Configure required settings” and change these settings.
- Allow the app to transfer data to other apps: Policy managed apps
- Prevent “Save As”: Yes
- Select which storage services corporate data can be saved to—e.g., OneDrive for Business, Sharepoint
- Restrict cut, copy and paste with other apps: Policy managed apps with paste in
Click on “Ok” at the bottom once you’re finished. Click “Create” at the bottom to save the new policy.
Now that the policy is created, assign the policy to the same group you used to deploy the Outlook app. Click on your new policy and then click “Assignments”. Click on “Select groups” to include, choose the same group previously selected for Outlook app assignment, and click “Select”.
You can now use the Outlook app throughout your organization. The app supports modern authentication, and once you’ve weaned users off the native phone application, you can disable Basic Authentication without any side effects. Some users may prefer the focused view for the Outlook app, others would prefer that focused view is disabled and that conversations are not threaded. You can finally disable the main email application by going into settings, accounts and passwords and deleting the existing account.
The change does not impact SMTP authentication. However, you may want to review how you have SMTP authentication set up.
Change is coming to Office 365 and Microsoft’s mandate will help keep us all safer from credential harvesting attacks. Take the time now to migrate to safer and more secure applications.
Don’t forget to sign up for TechTalk from IDG, the new YouTube channel for tech news of the day.
Copyright © 2019 IDG Communications, Inc.