> On 2020-05-28 at 13:35 -0600, Daniele Nicolodi via mailop wrote: >> Does anyone know if there is any alternative to Outlook to access >> Exchange Online mailboxes that require modern authentication? >> >> The IT department of the organization that is pushing thins says that >> modern authentication and disabling IMAP (over SSL) enhance security. I >> don't see how this is the case. Does anyone have an opinion? > > There's two orthogonal things here: using temporary tokens for protocol > login, and using IMAP. > > If you move a lot of the authentication into one common system which can > present short-lived tokens for other application protocols to use, then > you can start piling in more checks in one place. It becomes easier to > require two-factor authentication, etc etc. Typically you then get an > OAuth token out of that. > > You can use OAuth tokens in other protocols; within email and IMAP, > Google use the `OAUTHBEARER` SASL mechanism, and Brandon Long of Google > contributed support to mutt (requires external commands to handle the > flow, in the usual mutt manner). > > As to IMAP/TLS -- I know of no security reason to mandate disabling IMAP > as opposed to any other access protocol. This sounds more like the > traditional Outlook FUD-spreading re open protocols. > > -Phil >
Start with https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication Azure AD supports several of the most widely used authentication and authorization protocols including legacy authentication. Legacy authentication refers to protocols that use basic authentication. Typically, these protocols can't enforce any type of second factor authentication. Examples for apps that are based on legacy authentication are: Older Microsoft Office apps Apps using mail protocols like POP, IMAP, and SMTP ... Legacy authentication protocols The following options are considered legacy authentication protocols Authenticated SMTP - Used by POP and IMAP client's to send email messages. Autodiscover - Used by Outlook and EAS clients to find and connect to mailboxes in Exchange Online. Exchange Online PowerShell - Used to connect to Exchange Online with remote PowerShell. If you block Basic authentication for Exchange Online PowerShell, you need to use the Exchange Online PowerShell Module to connect. For instructions, see Connect to Exchange Online PowerShell using multi-factor authentication. Exchange Web Services (EWS) - A programming interface that's used by Outlook, Outlook for Mac, and third-party apps. IMAP4 - Used by IMAP email clients. MAPI over HTTP (MAPI/HTTP) - Used by Outlook 2010 and later. Offline Address Book (OAB) - A copy of address list collections that are downloaded and used by Outlook. Outlook Anywhere (RPC over HTTP) - Used by Outlook 2016 and earlier. Outlook Service - Used by the Mail and Calendar app for Windows 10. POP3 - Used by POP email clients. Reporting Web Services - Used to retrieve report data in Exchange Online. Other clients - Other protocols identified as utilizing legacy authentication. Regards Mark. _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
