Microsoft 365 Admin Center Releases Software Update Page
Message Center Notification MC397469 (July 5, 2022) announced the arrival of a new Microsoft 365 Software Updates page under the Health section of the Microsoft 365 admin center. The page is currently in preview, but according to Microsoft 365 roadmap item 82148, it should be generally available in August. The idea is that the new page gives tenant administrators a simple way to discover the update status of Office and Windows on devices known to the organization. As Figure 1 shows, my tenant is in pretty good shape.
Figure 1: The Software updates page in the Microsoft 365 admin center
Access to the data is limited to certain administrative roles including Global administrator, Global reader, Office apps admin, Reports reader, usage summary reports reader, Intune administrator, and Exchange administrator. The information presented in the report comes from device telemetry gathered when devices connect to Microsoft 365.
The Imminent Need for Upgrade
It’s a good idea to know whether software used to connect to a service is patched appropriately. Over the years, Microsoft has been reasonably accommodating in terms of the range of clients (desktop, mobile, and browsers) that people could connect to Microsoft 365. Things started to tighten up as the retirement of Internet Explorer approached. Indeed, Teams rejected IE as long ago as November 2020.
However, the need to upgrade client software is heading for a crunch period as organizations prepare for Microsoft to begin turning off basic authentication for seven email connectivity protocols in October 2022. The increasing number of warnings from Microsoft and the steps they’re taking to highlight the issue to customers is evident that some tenants might not be listening to the warnings.
Outlook
Outlook for Windows is a huge client for Exchange Online. Given its long history, it’s unsurprising that some older Outlook clients are still in use. Microsoft wants customers to make sure that they have enabled modern authentication for Outlook. Check by running the Get-OrganizationConfig cmdlet to ensure that the OAuth2ClientProfileEnabled setting is True:
There’s more to do after that, like making sure that users have recent Outlook clients installed. Outlook 2016 or later is recommended. The Outlook click-to-run version in Microsoft 365 apps for enterprise uses modern authentication out-of-the-box.
Apple Mail App
Last month, Microsoft released details of the automated approach they’re taking in conjunction with Apple to move Apple Mail app users to modern authentication. Two important gotchas need consideration. First, the automated approach won’t work if the organization deploys an MDM solution (Apple doesn’t want to mess with organization-controlled configurations, so they exclude these devices from their automatic update process). Second, the mail app uses Exchange ActiveSync to connect to personal Exchange Online mailboxes and that’s what the upgrade to modern authentication affects. If you use Apple devices to access shared mailboxes via IMAP4, the upgrade won’t do anything to enable modern authentication for IMAP4 (the Exchange ActiveSync protocol doesn’t support shared mailboxes).
If you’re in this position, maybe now is the right time to move from the Apple mail app to Outlook for iOS, which supports shared mailboxes natively. You might be waiting a while for Apple to update their IMAP4 implementation to connect to Exchange Online via modern authentication.
Other Exchange ActiveSync Clients
Microsoft and Apple are working together to solve the modern authentication issue for Apple mail clients, but what of all the other mobile device mail clients that use Exchange ActiveSync to connect to Exchange Online? The simple answer is that it’s the vendor’s responsibility to upgrade their clients so that they can connect to Exchange Online in a secure manner. The practical answer is that you should contact the vendor and ask them how their mail clients will work once basic authentication is unavailable.
IMAP4 and POP3
Speaking of IMAP4 and POP3, Microsoft has released support for modern authentication for the IMAP4 and POP3 protocols. This is something that client developers (like Apple) need to take care of rather than individual users. The folks who build the Thunderbird client have done a good job of making sure that this client is ready, but that’s not the case for other IMAP4 and POP3 clients, so make sure that you check if people in your tenant use these clients to connect to Exchange Online.
Developers who use IMAP4 and POP3 to retrieve messages for application rather than personal use must upgrade their applications using a different method to make sure that they can continue to access mailboxes.
No Silver Bullet for Client Health
The new Software updates page won’t tell you anything about the state of non-Microsoft clients. Tenants with Office 365 E3 or higher plans that include Microsoft 365 apps for enterprise might find the feature useful, but it’s not going to be a silver bullet to keep client software in robust health. Welcome as it is, the new Software updates page will be the source of some additional information, but that’s about all.
Keep up to date with developments like the transition to modern authentication for email connectivity protocols by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.
2 Replies to “Pace Heats Up as Microsoft Stresses Need for Email Client Updates”
I don’t understand why this article says Apple Mail uses ActiveSync. It actually doesn’t show up like that in Azure AD if OAuth2 was used to connect in the Mail app. It shows up as a browser client, not ActiveSync. Why are you lying and saying it won’t work with an MDM solution? You can deploy the Mail profile with OAuth2 turned on…
As to why it doesn’t show up as ActiveSync in Azure AD, that could be because the connect that comes into Azure AD is post-OAuth authorization and that’s what’s picked up.
I’m not saying (or lying) that OAuth2 won’t work with iOS mail apps managed through MDM. Microsoft said that the solution Apple will deploy to automatically upgrade mail app profiles/configurations to change them from basic authentication to modern authentication (OAuth 2) won’t work with MDM solutions because these solutions take care of app configurations, and you probably wouldn’t want Apple to mess with those configurations. As you point out, you can deploy the clients with modern authentication with OAuth enabled.
Do you usually insult people with your comments to posts?
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
I don’t understand why this article says Apple Mail uses ActiveSync. It actually doesn’t show up like that in Azure AD if OAuth2 was used to connect in the Mail app. It shows up as a browser client, not ActiveSync. Why are you lying and saying it won’t work with an MDM solution? You can deploy the Mail profile with OAuth2 turned on…
The native Apple mail app uses Exchange ActiveSync to communicate with Exchange Online and has done since its first inception. Here’s a link to the documentation: https://docs.microsoft.com/en-us/exchange/clients/exchange-activesync/exchange-activesync?view=exchserver-2019
As to why it doesn’t show up as ActiveSync in Azure AD, that could be because the connect that comes into Azure AD is post-OAuth authorization and that’s what’s picked up.
I’m not saying (or lying) that OAuth2 won’t work with iOS mail apps managed through MDM. Microsoft said that the solution Apple will deploy to automatically upgrade mail app profiles/configurations to change them from basic authentication to modern authentication (OAuth 2) won’t work with MDM solutions because these solutions take care of app configurations, and you probably wouldn’t want Apple to mess with those configurations. As you point out, you can deploy the clients with modern authentication with OAuth enabled.
Do you usually insult people with your comments to posts?