Last status on AzureAD Security defaults and using SMTP/IMAP
I was now reading a lot of articles here and on docs.microsoft.com about the consequences activating AzureAD Security defaults and the impact on legacy authentication like SMTP/IMAP. But all solutions I was able to find require buying Azure Active Directory Premium P1 for each account which should be able to accept SMTP/IMAP.
Well, this is not a solution for us, since P1 is just much too expensive.
So, what is the latest status? Are there any other options keeping these mailboxes within Exchange Online or do we have to move them to a non-Microsoft mailservice?
@JSpaniel As a Partner you might be eligible for a number of licenses for EM+S E3, which include AAD Premium P1.
Then, be aware abot this blog post from Exchange team that explains that independent from AAD Security Defaults, legacy auth. will be generally blocked by ~october 2020: https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-auth-and-exchange-online-february-2020-update/ba-p/1191282#
So while you can use AAD P1 now to enable app passwords working, this is not a long term solution.
What kind of mailboxes/access scenarios are you talking about? There might be alternatives like SMTP service running in local environment for sending emails - when it is about third party email clients/services the vendor should be contacted to give info what is their roadmap for modern auth. since this change in Exchange Online will affect all such clients.
Thank you Janosch for your quick reply.
Well, both solutions, using Partner's P1 or contacting the vendor, will not work for us. And for sure also not for other Office 365 customers.
Honestly, I do not understand why Microsoft does no longer support app passwords like other big players does (Google, Apple). This would be a balanced compromise.
In this case we can only advice our customers moving away from Office 365. Which will not help to sell Office 365/Microsoft 365.
But again thanks for your help.
The reasoning is in the mentioned blog post. Again, it is not app passwords that are affected, but legacy authentication protocols as whole.
This is also why the other major players like Apple and Google have added Modern Auth. support in their email clients already.
What exactly does not work for you? Would like to know more what is different for you and your customers compared to the other Partners I have talked to in the last momths, where some of them were even happy that legacy protocols will be disabled by default and they not need to configure custom conditional access policies to block loegacy like they did in the past. Not saying this should be true & easy for every body, still I would be interested what is you specific scenario.
As already mentioned: there is a lot of hardware, which does only support SMTP. There a a lot of software tools in use, starting from CRM tools, accounting, mail-campaign-management, which need to have access to mailboxes which only support IMAP and SMTP. Some might offer new software versions, which support modern Microsoft authentication. But in many cases company have to buy updates or even have to throw their Scanners in the bin and have to buy new devices.
I don't think, that our customers are very different from other companies.
And I am not sure if you understood my hint about app passwords, while having AD security defaults are enabled: why can't users then add an app password via my account / security as this was possible before? This whould solve all issues I know about AD Security defaults. And if this would be too unsafe, then perhaps with defining the app password, you can define the protocol or even IP address which is allowed using this app password.
Because Azure AD Security Defaults will block legacy protocols - so even when an app password was set, the security defaults will block access using protocols where app passwords can be used for.
So you can still set app passwords with AAD Security defaults on, but they will not work because of this block.
However, if you used app passwords before, it means you already need to have sufficient licenses to be allowed to do that, so you can - as long as Exchange Online supports this scenario - still disable AAD Security defaults and use app passwords like you were used too. This leads me to the question, why do you want to enable AAD Security defaults if this causes problems for you and you had a working solution before?
Patrtner Center Security requirements do not require AAD Security defaults to be enabled, they "just" require MFA for every account. And also for end customers it is not mandatory.
Reg. Scanners - if scanners are using SMTP delivery to a mailbox (like an external sender) it will not be affected by this change, as mentioned in the blog. Some other partner I have talked with considered using a SMTP relay service for submission (e.g. someting like sendgrid). Devices/servicing polling for email in a mailbox will be affected for sure though.
We have discussed the proposed solution. And we have decided to move the realted accounts from Exchange Online to a new Mailservice, which continue supporting SMTP and IMAP. Well of course the disadvantage is, that the mail address of these mailboxes will change. We will use a new subdomain.