Hi Dave Be good fella and elucidate us as to the name of this non-Microsoft android client that supports MFA, please?
The only reason I started using the streaming pile of putrid dog crap that is Outlook is because corporate decided to enforce MFA - and the Samsung/Android client didn't support that I'd love to know a client that I can use that supports MFA and isn't Outlook. Thanks DaZZa On Fri, 17 Dec 2021, 7:42 pm David Rawling, <[email protected]> wrote: > Hi Graham > > I am highly cynical about this, I realise, but I find it saves time. With > that in mind ... > > This was discussed fairly extensively a few years ago when Outlook Mobile > became the "Microsoft-offered/preferred" mobile client. I suspect that for > most organisations who knew about it and actively considered it, the risk > analysis included "Well, we already bent over ... er ... I mean, 'offloaded > authentication to Azure' for Office 365, my corporate credentials and email > are already stored by a company beholden to the PATRIOT Act etc, so what's > one more case of credentials stored blindly in the cloud - MS swear it's > the only/best way to do it and they must know what they're talking about". > > I decided back then I would let my employer decide that was OK for their > stuff, but for my own use I have a different Android client (which supports > all the Office 365 functionality anyway including MFA, so Microsoft's > justifications are hollow). Most of these "decisions" on clients seem to be > made by people on the basis of "ooh shiny", at least within SMEs. I'm sure > the ADF wouldn't be using Mobile Outlook on this basis, right? > > Anyway, for organisations, there's also some value in being able to use > Azure functionality to lock down mail to their own choice of client and > managed device, so when it's lost or the employee leaves, company IP can be > wiped (and they "know" it works). Those who know about the credential > caching/storage have their concerns dismissed, and their successors have a > harder time arguing for an alternative, too, since Outlook is already in > place. And since MS hasn't enabled on-premises platforms for modern needs > like MFA and modern authentication, and is actively trying to make rentals > the only available option, I doubt the situation will improve. > > Dave. > > -- > > David Rawling - Principal Consultant > > t: +61 41 213 5513 | e: [email protected] > > Please note that whilst we take all care, neither PD Consulting and > Security nor the sender accepts any responsibility for viruses and it is > your responsibility to scan for viruses. The contents are intended only for > use by the addressee and may contain confidential and/or privileged > material. If you received this in error, we request that you please inform > the sender and/or addressee immediately and delete the material. > > On Fri, 2021-12-17 at 15:42 +1000, Graham Maltby wrote: > > Thanks everyone for the confirmation. > > The process does not appear to have changed at all from what has been > described; still storing credentials and all the mail they can slurp. I > have never liked or used Outlook in any of it's various incarnations so > I've had little exposure to this. > > I am somewhat surprised that this is not more well reported in > mainstream media. If any other app so blatantly stole your data and > shipped it off overseas, it would be all over the press as this should > be. But Microsoft, like a number of others, are big enough to get away > with this. > > Cheers, > Graham > > > > On 17/12/21 14:01, Philip Loenneker wrote: > > Hi Graham, > > I don't know if this is still the case, but the original "Outlook" app for > mobiles saved your credentials on a server and downloaded to there, then > synced it down to your device. I think they did that so they could do > things like push notifications when you get an email, which doesn't work if > it runs locally and the app isn't allowed to run in the background. That > was before Microsoft bought the app, but I haven't looked at it at all > since then. > > Where I was working at the time, we were justifiably concerned by this > "feature", advised everybody to not use it, and blocked it from working on > the corporate Internet service. > > It is possible that it operates differently now, but from what you > described, it sounds like they still do the same thing. > > This rather old blog post discusses some of the security concerns, but > it's from 2015 and may be completely irrelevant now. > > https://4sysops.com/archives/is-microsofts-outlook-app-for-ios-and-android-insecure/ > > Regards, > Philip Loenneker| Senior Network Engineer > TasmaNet | Vastnet | Netmode > > -----Original Message----- > From: AusNOG <[email protected]> On Behalf Of Graham Maltby > Sent: Friday, 17 December 2021 2:35 PM > To: [email protected] > Subject: [AusNOG] Outlook Mobile (OT) > Importance: Low > > Afternoon all, > > While attempting to sort out some autodiscover / activesync processes last > night, I installed Outlook on my mobile (current Android version from the > Play Store). Setup and an account and logged in. > > To my dismay, I find my phone is not connecting over the LAN to the server > 4m away but instead a server in Seoul, South Korea is connecting and > downloading my mail instead. Aside from the woeful performance, it raises a > lot of concerns with privacy, security and data sovereignty. > The most annoying part (if that was not sufficient), is that 14 hours > after deleting the account from "all devices" and uninstalling the app, the > server is still logging in and collecting mail now (or was until I changed > the password). > > Is this common knowledge I have just missed all these years? > > Is there a reason the media are not making noise about this? > > Does nobody care because it's pretty? > > > I have very low expectations when it comes to Microsoft but this poor by > any measure. > > Graham > > _______________________________________________ > AusNOG mailing list > [email protected] > > https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.ausnog.net%2Fmailman%2Flistinfo%2Fausnog&data=04%7C01%7Cphilip.loenneker%40tasmanet.com.au%7Cc78698f33b944aa750c408d9c10e5b4c%7Cb53dc580ab7847208b30536f36d398ac%7C0%7C0%7C637753089685219848%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=4mr8ny9ODSiKpYpshRZ0eVceTabA95bJbmfw7qhk0KI%3D&reserved=0 > > > _______________________________________________ > AusNOG mailing list > [email protected] > http://lists.ausnog.net/mailman/listinfo/ausnog > > _______________________________________________ > AusNOG mailing list > [email protected] > http://lists.ausnog.net/mailman/listinfo/ausnog >
_______________________________________________ AusNOG mailing list [email protected] http://lists.ausnog.net/mailman/listinfo/ausnog
