Microsoft's plan to improve cloud security could mean problems for incompatible on-premises systems and applications -- and the users who rely on them.
IT administrators get constant reminders that security is one of their top priorities at every layer within the infrastructure. This responsibility requires them to take the steps to secure their environments, which also extends to the Office 365 tenant. Microsoft will turn off basic authentication support in Office 365 on Oct. 1 and make modern authentication mandatory to use the collaboration platform. This change might cause issues for admins who have not fully evaluated their organization's infrastructure and prepared for the updated authorization and authentication protocols.
A switch to modern authentication is easy but preparation is needed
A change to modern authentication on the Office 365 tenant is easy to implement and far more secure. IT administrators can implement modern authentication organization-wide with a simple PowerShell command or via the web admin portal. But once the change is made, any authentication attempt from a Microsoft Office app or third-party product that connects to Office 365 will stop and cause significant disruption to the end users.
Some of the typical issues users will experience after the move to modern authentication include trouble connecting to email from some of the legacy version of Outlook, including clients older than Outlook 2013 in Windows and other legacy versions in MacOS. To meet modern authentication requirements on these systems, Microsoft recommends a change to a version above Outlook 2013, but IT cannot always upgrade all the Office apps. These issues are not limited to just legacy versions of Outlook but are found in other Microsoft Office products, such as Word, Excel, PowerPoint and Microsoft Teams.
Meeting modern authentication requirements might require heavy lifting
Many IT administrators have numerous issues to deal with that might limit their ability to perform the necessary upgrades for all their end users. These issues can include:
- lack of device management tools to push out Office 365 upgrades to all the users;
- the use of third-party add-ons to the Microsoft Office suite and lack of compatibility with the newer versions of Microsoft Office apps;
- users who work remotely that make it more difficult to access and update those machines;
- hardware that may not meet the minimum requirements for the new Microsoft Office suite; and
- Microsoft sign-in popup from modern authentication could get blocked by web filters, preventing users from seeing the login prompt.
One way to overcome the lack of device management to push out the latest upgrade of Office is to use the Office Deployment Tool (ODT). This is a command-line utility that downloads and deploys Microsoft 365 Apps to Windows client machines. ODT gives administrators more control over new Office apps installations. Not only does ODT assist with the installation, but admins can also use it to deploy specific tools and languages to machines without user interaction. The tool is available for downloading at this link.
To work with modern authentication, other tools and application will require updates. Some third-party email apps will need an upgrade to the latest supported version that supports modern authentication; IT administrators will need to consult their software vendor to keep email working. However, not every application will meet the modern authentication requirements, regardless of version. If the switch to the Office 365 tenant is made, then the connectivity for these apps to email servers will be broken. MacOS Mail (10.14) or older versions face the same challenge, but an upgrade to newer versions will support modern authentication.
What are the prerequisites for modern authentication in hybrid environments?
For organizations in a hybrid environment that host some of Microsoft services on premises such as Exchange Server and Skype for Business, it is highly recommended to update or upgrade those servers to the latest versions or patch level that support modern authentication. For Microsoft's email platform, this includes using Exchange Server 2013 CU19 and up, Exchange Server 2016 CU8 and up and Exchange Server 2019 CU1 and up.
If the organization uses Active Directory Federation Services for SSO or other authentication needs, then IT must have Windows 2012 R2 AD FS 3.0 and above for federation. For users on Skype for Business Server, one requirement is to have at least the May 2017 cumulative update (CU5) for Skype for Business Server 2015 or later. For the hybrid setup, the following requirements must be met to support the integration of modern authentication with Exchange Online and other Office 365 services:
- a Skype for Business Server 2019 deployment with servers that run Skype for Business Server 2019;
- a Skype for Business Server 2015 deployment with servers that run Skype for Business Server 2015;
- a deployment with a maximum of two different server versions for Skype for Business Server 2015 or Skype for Business Server 2019;
- all Skype for Business servers must have the latest cumulative updates installed; and
- there is no Lync Server 2010 or 2013 in the hybrid environment.
How to prepare for the Microsoft modern authentication deadline
Given the risk associated with the move to modern authentication, administrators will need an inventory of the systems that interact with Office 365 services. As part of this plan, administrators must outline where upgrades will be needed and any additional changes to meet modern authentication requirements, such as OS upgrades or replacement of apps that will not work with the updated security protocols.
Failing to get ahead of the looming deadline will cause issues with business email and communications that many companies rely on for their day-to-day business activities.