![]() The first challenge to make the flow seamless for users is when you have configured controls and policies that affect the ability for the Mail app to connect using OAuth. There are, however, two challenges to making this flow seamless to the user: possible interruption from existing policies and obtaining consent. This is a great benefit, especially if you have many users with many devices using Apple’s Mail app. ![]() From then on, the account uses OAuth to authenticate to Exchange Online, and the user doesn’t even have to know this happened. A few days after a device is updated, the Mail app will use the credentials it already has in a new flow to authenticate to the Identity Provider (in this case, Azure Active Directory), receive OAuth access and refresh tokens in return, remove the stored Basic auth credentials from the device, and then reconfigure the settings on the account to use OAuth. Given the device already has the users credentials we can use this to our advantage in this one scenario.Īpple will be adding support for this grant and the associated workflow in an iOS 15.6 update. This grant allows an application to sign in the user by directly handling their password. The solution to a smooth transition lies in OAuth support for something called the Resource Owner Password Credential (ROPC) grant. So, Apple and Microsoft have worked together to build a solution for our mutual customers. The difficult challenge of changing the configuration of millions of users using millions of devices requires both the client and the server to work together to provide a smooth transition. When you restore a backup from an old device to a new device or use the built-in migration process to move your data and settings to a new device, your Mail settings will still be configured to use Basic auth. The key here is “ new.” An Exchange Online account uses Modern auth only if it were added to the device after OAuth support was added to the Mail app.Įven when you upgrade to a newer device, you might still be using Basic auth. But today it’s one of the most common vectors for credential compromise and misuse.Īpple has supported OAuth in iOS and macOS clients for several years, so anyone setting up a new Exchange Online account in the Mail app on these devices should be configured to use Modern auth. ![]() Several years ago, before OAuth 2.0, Basic authentication was the most common method to connect, primarily because it’s easy to use and was widely supported. To leverage this work and help users make the switch, the Microsoft 365 tenant admin may need to take action to make this transition, so please read carefully. Today we’re delighted to take the next step along that journey by sharing the work we’ve been doing with Apple to help users of their Mail app switch from Basic auth to Modern auth. We’ve been working for some time with several partners to come up with ways to smoothly transition our many users from Basic authentication to something more secure: OAuth 2.0-based authentication, or ‘Modern authentication’ as we call it.
0 Comments
Leave a Reply. |