By Jeyakumar Durai (JD)
Cloud Architect
Microsoft has been driving constant efforts to get rid of “Basic Authentication” – (a weak authentication method subject to easy credential compromise) from the M365 tenants. As a latest update of this effort, Microsoft & Apple have come up with a solution to switch the iOS Native Mail app users from Basic to Modern authentication which will happen seamlessly using ROPC (Resource Owner Password Credentials) method.
Though Apple has been supporting OAuth (Modern Authentication) in its native mail app for a couple years now, OAuth is enabled by default only for the new mailbox configuration. The users with existing configuration continues to have “Basic authentication” even when they upgrad the phone and transfer the data. The users had to completely remove and re-add their accounts in the mail app in order to switch to the new secure OAuth authentication in the backend.
What if your firm has thousands of native Mail app users? There is a solution on its way in the upcoming Apple iOS update, expected in the version iOS 16 which will have “ROPC grant” in the bundle. Few days after the update is installed, the Native Mail app will use the credentials to authenticate with identity provider, refresh the auth token and reconfigure the mailbox account in the native Mail app using OAuth (All happens in the backend without any user action).
There are few scenarios where this seamless switch may not work based on how your environment is set up.
- If you have “Mobile Device Management” set up to push the mail app profile to the devices, then the above said iOS update won’t change the authentication method to OAuth. You have to follow the steps per this article to configure the mail app configuration profile using OAuth and push it to the devices.
- If you have conditional access policy in place for native mail apps that require MFA, the seamless switch will not work. Instead, the users will be prompted to re-enter their password, once entered the authentication will be switched to “OAuth”. Prepare an end-user training material and communicate to your users beforehand to avoid helpdesk calls. You can monitor this “switch over” progress happening for your users using the Azure AD Sign-in Reports
- OAuth requires Admin “Consent” to grant apps access to the mailbox resources. So the administrators must grant “consent” to the Apple Mail app at the tenant level so users don’t get prompted for consent individually and the oAuth switch can take place without interruption.
Please see this Microsoft blog post for more information.
Note: Microsoft is targeting to disable the “Basic Authentication” completely from the M365 tenants starting Oct 1, 2022, so switching the native Mail app authentication to OAuth is vital for any Organization before the deadline.
Helient strongly recommends taking the necessary steps in switching your native mail app users to oAuth asap. If you would like more information or assistance, please contact our industry-leading experts at service@helient.com.