We wanted to share this important note make sure our clients are aware that they should be using modern email clients (ie. Outlook 2013 or newer), as well as smartphones that continuously update with either the latest iOS or Android operating systems – systems that will support “Modern Authentication.” The change will go into effect on October 13, 2020 – so there is still plenty of time to prepare an update to modern software and devices. Reach out to us if you have any questions or need any help.
POP, IMAP and SMTP
The next piece of news we want to share is an update on the status of adding Modern Auth support to POP and IMAP for O365 commercial customers (we’ve had Modern Auth for IMAP in consumer Outlook.com for years).
We’ve completed our development work and are rolling out Modern Auth support for POP and IMAP in Exchange Online now. Documentation for developers is being finalized and we’ll link to it in this blog post when it is available.
Now if you are using POP or IMAP for your day to day email access, and if your current email client vendor has added support for Modern Auth, then great. But to be honest, using POP or IMAP for day to day access to your mailbox means you are really missing out. Even if you are using Outlook with those protocols you don’t get the complete calendar or contacts experience, and so switching to Outlook and using the default connectivity protocols, either for Windows/Mac, is going to make your use of email more functional and productive. And you might want to check out Outlook on the Web (OWA) – it’s changed enormously over the past few years and is a very capable and feature-filled client used by millions of people every day.
What if you are using POP and IMAP for various devices in your office? Chances are these devices are sending mail (things you have scanned for example) using SMTP email submission, so this change to POP and IMAP won’t impact them – but if you do have devices polling for mail, and the vendor has long gone or can’t update the devices to support Modern Auth for POP and IMAP, then we’re sorry… but they will hit issues.
It has to be said too that these devices are often a weak link in your security chain anyway. They have credentials stored on them, no-one ever changes the password – and if an attacker can get just one username and password in your tenant, they can see the entire tenant directory and from there go on to do far worse things.
What about 3rd party apps that integrate with your email, and use POP or IMAP to access a mailbox you have in Exchange Online? First port of call should be to speak to that vendor and ask what their plans are. As you might have seen, we’re not the only major cloud provider securing applications by removing Basic Auth, so if that application vendor wants to help their customers stay secure, they need to move to Modern Auth.
Finally, SMTP. We’re pleased to announce that we’re nearly done with the engineering work for Modern Auth for SMTP and hope we will soon be able to start the process of deploying that to the service. We’ll provide another update with some guidance on configuration and general usage as soon as we have it available.