Microsoft’s plan to improve cloud security could lead to problems for incompatible on-premises systems and applications – and the users who depend on them.
IT administrators are constantly reminded that security is one of their top priorities at every layer of the infrastructure. This responsibility requires them to take the necessary steps to secure their environments, which also extends to the Office 365 tenant. Microsoft will disable Basic Authentication support in Office 365 on October 1 and mandate Modern Authentication. to use the collaboration platform. This change may cause issues for administrators who have not fully assessed their organization’s infrastructure and prepared for updated authorization and authentication protocols.
Moving to modern authentication is easy, but preparation is required
A modern authentication change on the Office 365 tenant is easy to implement and much more secure. IT admins can implement org-wide modern authentication with a simple PowerShell command or through the web admin portal. But once the change is made, any attempt to authenticate any Microsoft Office application or third-party product that connects to Office 365 will stop and cause significant disruption to end users.
Some of the typical issues that users will encounter after switching to Modern Authentication include problems connecting to email from some legacy versions of Outlook, including pre-Outlook 2013 clients on Windows and other legacy versions of macOS. To meet modern authentication requirements on these systems, Microsoft recommends upgrading to Outlook 2013, but IT cannot always upgrade all Office applications. These issues are not limited to older versions of Outlook, but are found in other Microsoft Office products, such as Word, Excel, PowerPoint, and Microsoft Teams.
Meeting modern authentication requirements can be daunting
Many IT admins face many issues that may limit their ability to perform necessary upgrades for all of their end users. These problems can include:
- lack of device management tools to push Office 365 upgrades to all users;
- use of third-party add-ons to the Microsoft Office suite and lack of compatibility with new versions of Microsoft Office applications;
- users who work remotely who make it difficult to access and update these machines;
- hardware that may not meet the minimum requirements of the new Microsoft Office suite; and
- The Microsoft sign-in pop-up from Modern Authentication could be blocked by web filters, preventing users from seeing the sign-in prompt.
One way to overcome the lack of device management to deploy the latest Office upgrade is to use the Office Deployment Tool (ODT). It is a command-line utility that downloads and deploys Microsoft 365 Apps to Windows client computers. ODT gives administrators more control over new installations of Office applications. Not only does ODT help with installation, but administrators can also use it to deploy specific tools and languages to machines without user interaction. The tool is available for download at this link.
To work with Modern Authentication, other tools and apps will require updates. Some third-party email apps will require upgrading to the latest supported version that supports Modern Authentication. IT administrators will need to consult with their software vendor to keep email working. However, not all apps will meet modern authentication requirements, regardless of version. If the switch to the Office 365 tenant is made, the connectivity of these applications to mail servers will be interrupted. MacOS Mail (10.14) or earlier versions face the same challenge, but upgrading to newer versions will support modern authentication.
What are the prerequisites for modern authentication in hybrid environments?
For organizations in a hybrid environment that host some of the on-premises Microsoft services such as Exchange Server and Skype for Business, it is strongly recommended that you update or upgrade these servers to the latest versions or patch level that supports supports modern authentication. For Microsoft’s messaging platform, this includes using Exchange Server 2013 CU19 and later, Exchange Server 2016 CU8 and later, and Exchange Server 2019 CU1 and later.
If the organization uses Active Directory Federation Services for single sign-on or other authentication needs, IT must have Windows 2012 R2 AD FS 3.0 and later for federation. For Skype for Business Server users, a requirement is to have at least May 2017 Cumulative Update (CU5) for Skype for Business Server 2015 or later. For the hybrid configuration, the following requirements must be met to support modern authentication integration with Exchange Online and other Office 365 services:
- a deployment of Skype for Business Server 2019 with servers running Skype for Business Server 2019;
- a deployment of Skype for Business Server 2015 with servers running Skype for Business Server 2015;
- a deployment with a maximum of two different server versions for Skype for Business Server 2015 or Skype for Business Server 2019;
- all Skype for Business servers must have the latest cumulative updates installed; and
- there is no Lync Server 2010 or 2013 in the hybrid environment.
How to Prepare for Microsoft’s Modern Authentication Deadline
Given the risk associated with moving to modern authentication, administrators will need an inventory of systems that interact with Office 365 services. As part of this plan, administrators should identify where upgrades will be needed and any additional changes to meet modern authentication requirements, such as operating system upgrades or replacement of applications that will not work with updated security protocols.
Failing to get ahead of the looming deadline will lead to problems with email and business communications that many businesses rely on for their day-to-day business operations.
