Microsoft is working with Apple on an iOS update to improve Exchange Online secu...

Microsoft is working with Apple on an iOS update to improve Exchange Online security

Basic authentication is an old industry standard that is used to verify client-server connections. However, in recent years, it has proved to be a significant attack vector to compromise data security. As such, most software vendors have been ditching the aging mechanism and gravitating towards Modern authentication based on OAuth 2.0 for increased security.

This is also the case with the Apple Mail app which switched to Modern authentication several years ago. However, this meant that only new accounts which were added to a device after this migration from Basic to Modern authentication took place could enjoy the benefits of better security while older accounts remained stuck with Basic authentication. This problem even extended to the original configuration propagating across new devices and backups. Microsoft is now tackling this issue once and for all by collaborating with Apple.

While the details are a bit technical, basically what will happen is that Apple will integrate support for the Resource Owner Password Credential (ROPC) grant in a future iOS update. This handler ensures that apps use the credentials stored on your device in a secure manner. Following this update, the Mail app will use ROPC to leverage your existing credentials to create an authentication flow for Exchange Online account with Azure Active Directory. You will receive OAuth tokens in response, your account will be configured to permanently use Modern authentication, and finally, Basic authentication credentials will be removed.

To make this transition as smooth as possible, Microsoft has encouraged tenant admins to check controls and policies such as Conditional Access (CA) and Multi-factor Authentication (MFA), which may require input from users before the switch is made. Similarly, it has also encouraged admins to grant resource access to the Mail app at a tenant level so that every user does not have to individually approve permissions.

However, if you use a Mobile Device Management (MDM) solution, the switch to Modern authentication will not automatically take place and you will need to collaborate with your MDM vendor to ensure that you are using the ROPC workflow in the Mail app.

There are some detailed instructions for IT admins in Microsoft's blog post here. However, the key points for consumers to understand is that this authentication workflow switch will happen in an upcoming iOS and iPadOS update. The same capability will also arrive for macOS at some point. Clients using certificate-based authentication mechanisms will remain unaffected.