News

Microsoft Improves Office 365 Authentication with June Update

• By Kurt Mackie
• June 11, 2015

Microsoft plans to release an update to Office 365 this month that will improve Android and iOS Outlook client authentication for Exchange Online.

Specifically, the update will be turning on the use of the OAuth delegation protocol for use by those Outlook clients. OAuth is an Internet Engineering Task Force open specification for authorizing Web-enabled apps. It's not an authentication protocol per se, but it gets used inside of authentication protocols, according to an OAuth.net article.

Microsoft enables OAuth through its Active Directory Authentication Library (ADAL), which is now getting turned on for Exchange Online mailboxes. That change allows users to authenticate using Azure Active Directory, which is the identity provider service that's used across Office 365 services. With this integrated OAuth capability, Android and iOS Outlook users can access e-mail by just signing into their Office 365 accounts.

"ADAL-based sign in enables OAuth for Office 365 accounts, providing Outlook with a secure mechanism to access email without requiring access to the user's credentials," Microsoft's announcement on Wednesday explained.

Organizations get some management and security controls, too. For instance, the Android and iOS Outlook clients now support "multifactor authentication." Multifactor authentication is Microsoft's term for a secondary security challenge that initiates after a user enters a password. The security challenge arrives on a device in the form of an e-mail, text message or automated phone call, providing an alternative way of verifying the user's identity.

While Microsoft is turning on this OAuth capability for Office 365 end users this month, it will require that end users log into their devices for the change to take effect. Users will get a prompt to do that "over the next week," Microsoft promised. The log-in will "automatically convert their account from basic authentication to OAuth," Microsoft explained. At that point, multifactor authentication policies will start to work.

Microsoft's announcement explained that Exchange ActiveSync doesn't support OAuth, so organizations relying on that protocol will just have the "basic authentication" capability. They won't have multifactor authentication support, for instance.

OAuth is currently used by Microsoft for its Outlook.com and OneDrive clients. It's also used by companies such as Dropbox and Box for accessing their cloud storage services. Google also uses OAuth for its Gmail app, according to Microsoft's announcement.

In a different announcement, Microsoft explained that it enhances its Exchange ActiveSync protocol first for its cloud-enabled Office 365 services. Exchange ActiveSync "version 16" will be the next version of the protocol, which is used to synchronize data with premises-based Exchange mailboxes. Version 16 will add calendar reliability improvements, as well as improvements to attachment handling. ActiveSync 16 also will allow draft folders to be synced.

Those ActiveSync improvements will start to show up "soon" for Microsoft's Office 365 account users, Microsoft promised. Organizations can check for version 16 by running the "Exchange ActiveSync Autodiscover" test at this page.