Microsoft and Apple Team Up to Boost Exchange Online Security on iOS & macOS

Security

Microsoft has teamed up with Apple to improve the security of Exchange Online accounts on iOS and macOS devices. In upcoming iOS and macOS updates, users who connected a Microsoft Exchange mailbox in Apple’s Mail app with Basic authentication will be automatically migrated to the more secure OAuth 2.0-based Modern authentication.

Apple introduced support for Modern authentication to its Mail app on iOS and macOS devices a couple of years ago. However, this change was only applicable to new Exchange Online accounts and millions of old accounts still use the less secure Basic authentication mechanism.

Considering that Basic authentication is prone to password spray attacks, Microsoft is getting ready to drop support for Basic authentication for most protocols in Exchange Online in October. This change aligns with the commitment of Apple, Microsoft, and Google to implement passwordless support across device platforms.

Apple to add ROPC grant support on iOS

Microsoft is now working with Apple to develop a solution that will ensure a seamless transition to Modern authentication for their customers. We’ll spare you the technical details, but the upcoming iOS update will bring support for the Resource Owner Password Credential (ROPC) grant. Basically, it should guarantee that an application handles passwords stored on users’ devices in a secure way.

“A few days after a device is updated, the Mail app will use the credentials it already has in a new flow to authenticate to the Identity Provider (in this case, Azure Active Directory), receive OAuth access and refresh tokens in return, remove the stored Basic auth credentials from the device, and then reconfigure the settings on the account to use OAuth,” the Exchange team explained.

It is important to ensure a smooth migration from Basic to Modern authentication. Microsoft has advised IT Pros to check for controls and policies like Multi-factor Authentication (MFA) and Conditional Access (CA) that may require user interaction. Additionally, the company is urging IT admins to provide consent to the Apple Mail app at the tenant level. Consequently, iOS users with Basic authentication will no longer need to grant permissions individually to the app.

Microsoft and Apple Team Up to Boost Exchange Online Security on iOS devices

Meanwhile, the transition from Basic to Modern authentication will not automatically occur for customers currently using a Mobile Device Management (MDM) solution. IT admins will either need to use MDM or contact the software vendor to make the switch to the Modern authentication mechanism.

Microsoft to enable Modern authentication on macOS soon

The Redmond giant will communicate this change to all IT admins who have Apple Mail users with Basic authentication via a Message Center post in the coming days. The company has provided step-by-step instructions to grant tenant-wide admin consent for the Apple Mail app via PowerShell or the Azure Portal.

Apple plans to roll out the new Modern authentication mechanism in an upcoming iOS update. This update will also be available for all macOS users at some point in the future. It is important to note that this change will not impact devices using certificate-based authentication.