Table of Contents
Microsoft 365 Admin Center Releases Software Update Page
Message Center Notification MC397469 (July 5, 2022) announced the arrival of a new Microsoft 365 Software Updates page under the Health section of the Microsoft 365 admin center. The page is currently in preview, but according to Microsoft 365 roadmap item 82148, it should be generally available in August. The idea is that the new page gives tenant administrators a simple way to discover the update status of Office and Windows on devices known to the organization. As Figure 1 shows, my tenant is in pretty good shape.
Access to the data is limited to certain administrative roles including Global administrator, Global reader, Office apps admin, Reports reader, usage summary reports reader, Intune administrator, and Exchange administrator. The information presented in the report comes from device telemetry gathered when devices connect to Microsoft 365.
The Imminent Need for Upgrade
It’s a good idea to know whether software used to connect to a service is patched appropriately. Over the years, Microsoft has been reasonably accommodating in terms of the range of clients (desktop, mobile, and browsers) that people could connect to Microsoft 365. Things started to tighten up as the retirement of Internet Explorer approached. Indeed, Teams rejected IE as long ago as November 2020.
However, the need to upgrade client software is heading for a crunch period as organizations prepare for Microsoft to begin turning off basic authentication for seven email connectivity protocols in October 2022. The increasing number of warnings from Microsoft and the steps they’re taking to highlight the issue to customers is evident that some tenants might not be listening to the warnings.
Outlook
Outlook for Windows is a huge client for Exchange Online. Given its long history, it’s unsurprising that some older Outlook clients are still in use. Microsoft wants customers to make sure that they have enabled modern authentication for Outlook. Check by running the Get-OrganizationConfig cmdlet to ensure that the OAuth2ClientProfileEnabled setting is True:
Get-OrganizationConfig | fl OAuth2ClientProfileEnabled OAuth2ClientProfileEnabled : True
There’s more to do after that, like making sure that users have recent Outlook clients installed. Outlook 2016 or later is recommended. The Outlook click-to-run version in Microsoft 365 apps for enterprise uses modern authentication out-of-the-box.
Apple Mail App
Last month, Microsoft released details of the automated approach they’re taking in conjunction with Apple to move Apple Mail app users to modern authentication. Two important gotchas need consideration. First, the automated approach won’t work if the organization deploys an MDM solution (Apple doesn’t want to mess with organization-controlled configurations, so they exclude these devices from their automatic update process). Second, the mail app uses Exchange ActiveSync to connect to personal Exchange Online mailboxes and that’s what the upgrade to modern authentication affects. If you use Apple devices to access shared mailboxes via IMAP4, the upgrade won’t do anything to enable modern authentication for IMAP4 (the Exchange ActiveSync protocol doesn’t support shared mailboxes).
If you’re in this position, maybe now is the right time to move from the Apple mail app to Outlook for iOS, which supports shared mailboxes natively. You might be waiting a while for Apple to update their IMAP4 implementation to connect to Exchange Online via modern authentication.
Other Exchange ActiveSync Clients
Microsoft and Apple are working together to solve the modern authentication issue for Apple mail clients, but what of all the other mobile device mail clients that use Exchange ActiveSync to connect to Exchange Online? The simple answer is that it’s the vendor’s responsibility to upgrade their clients so that they can connect to Exchange Online in a secure manner. The practical answer is that you should contact the vendor and ask them how their mail clients will work once basic authentication is unavailable.
IMAP4 and POP3
Speaking of IMAP4 and POP3, Microsoft has released support for modern authentication for the IMAP4 and POP3 protocols. This is something that client developers (like Apple) need to take care of rather than individual users. The folks who build the Thunderbird client have done a good job of making sure that this client is ready, but that’s not the case for other IMAP4 and POP3 clients, so make sure that you check if people in your tenant use these clients to connect to Exchange Online.
Developers who use IMAP4 and POP3 to retrieve messages for application rather than personal use must upgrade their applications using a different method to make sure that they can continue to access mailboxes.
No Silver Bullet for Client Health
The new Software updates page won’t tell you anything about the state of non-Microsoft clients. Tenants with Office 365 E3 or higher plans that include Microsoft 365 apps for enterprise might find the feature useful, but it’s not going to be a silver bullet to keep client software in robust health. Welcome as it is, the new Software updates page will be the source of some additional information, but that’s about all.
Keep up to date with developments like the transition to modern authentication for email connectivity protocols by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.
I don’t understand why this article says Apple Mail uses ActiveSync. It actually doesn’t show up like that in Azure AD if OAuth2 was used to connect in the Mail app. It shows up as a browser client, not ActiveSync. Why are you lying and saying it won’t work with an MDM solution? You can deploy the Mail profile with OAuth2 turned on…
The native Apple mail app uses Exchange ActiveSync to communicate with Exchange Online and has done since its first inception. Here’s a link to the documentation: https://docs.microsoft.com/en-us/exchange/clients/exchange-activesync/exchange-activesync?view=exchserver-2019
As to why it doesn’t show up as ActiveSync in Azure AD, that could be because the connect that comes into Azure AD is post-OAuth authorization and that’s what’s picked up.
I’m not saying (or lying) that OAuth2 won’t work with iOS mail apps managed through MDM. Microsoft said that the solution Apple will deploy to automatically upgrade mail app profiles/configurations to change them from basic authentication to modern authentication (OAuth 2) won’t work with MDM solutions because these solutions take care of app configurations, and you probably wouldn’t want Apple to mess with those configurations. As you point out, you can deploy the clients with modern authentication with OAuth enabled.
Do you usually insult people with your comments to posts?