What Is Changing?

UAlbany is decommissioning basic authentication to Office 365 (UAlbany Mail) on August 4, 2020. Microsoft has long used this to enable email authentication, but is moving to modern authentication.

Please check to ensure you are using the most recent version of Microsoft Outlook/Office for your computer and the Microsoft Outlook mobile app for your mobile devices. See below for instructions.

1 What does Basic Authentication look like?
2 What will be the impact of this change?
3 How do I know how I am affected?
4 What do I need to do on a Windows or Mac computer?
5 What do I need to do on a mobile device?
6 Which email clients are capable of modern authentication in Office 365?
7 Background

What does Basic Authentication look like?

Basic Authentication Example	Modern Authentication Example

Basic Authentication Example	Modern Authentication Example
When you log in, you provide your email address and password directly to the application:	When you log in, you are sent to the familiar UAlbany login page to provide your credentials:

What will be the impact of this change?

Non-Outlook Email Applications: Any email application using POP, IMAP, or basic authentication with Exchange Web Services (EWS) or Exchange ActiveSync (EAS) will no longer work after 8/4/2020. We recommend moving to Microsoft Outlook for your computer and installing the Microsoft Outlook app for your mobile devices.
UAlbany email accounts linked to non-UAlbany email services: The linking of your UAlbany Mail email account to Gmail, Yahoo!, or Hotmail (for example, so you can see all your messages in one inbox), will no longer function after 8/4/2020. We recommend moving to Microsoft Outlook or Outlook on the web.
Old versions of Microsoft Office: Versions of Microsoft Office earlier than 2016 (including 2013, 2011, 2010, 2007, etc.) will no longer be able to connect to Office 365 after 8/4/2020.

How do I know how I am affected?

You may have received an email from ITS if you used basic authentication in February or March 2020. The email will tell you how you are affected and what you need to do to address it. Click thumbnails below to view sample emails from ITS:

Sample ITS Email

What do I need to do on a Windows or Mac computer?

Check that you are using the updated version of Microsoft Outlook for your computer and the Microsoft Outlook mobile app for your mobile devices.

How to check your version of Outlook on your computer

Outlook Version Installed	Action Required

Outlook Version Installed

Action Required

Outlook 2016, 2019, or 365 for Windows or macOS

If your account is connected using modern authentication, you're all set! If you are not sure, you can create a new Outlook profile with Modern Authentication.

If your account is connected using basic authentication, create a new Outlook profile with Modern Authentication.

Any version earlier than 2016

For University-owned computers: Contact your Technology Coordinator or submit an ITS Service Desk Request for assistance upgrading to the latest version of Office, which supports modern authentication.

Non University-Owned Computers: Install and use the latest version of Office 365 by following these instructions: Install Office 365 (PC and Mac)

What do I need to do on a mobile device?

We recommend that you use the Microsoft Outlook mobile app on your mobile device(s) to access your UAlbany Mail email and calendar and remove your UAlbany mail account from your device's native (built-in) mail client. The Microsoft Outlook mobile app will be the only mail and calendar mobile application fully supported by ITS. Depending on the version, the native mail and calendar clients on your mobile device may not work with modern authentication (e.g., the “Mail” app on your iPhone).

To get the Microsoft Outlook mobile app, please follow this link from your mobile device:

Get Outlook for iOS and Android.

When searching the app stores, the Microsoft Outlook mobile app looks like the image to the left.

Which email clients are capable of modern authentication in Office 365?

The following clients are capable of authenticating to Office 365 Exchange Online with modern authentication. Generally, it is recommended to be on the latest version of each client and operating system.

Outlook on the web (formerly called Outlook Web App or OWA)
Outlook for Windows (Windows 10; Outlook 2016 and later)
Outlook for Mac (macOS 10.14 Mojave and later; Outlook 2016 and later)
Outlook App for Android (Android Lollipop 5.0 and later)
Outlook App for iOS (iOS 12.x and later for iPhones and iPads)
Mail app on iOS (iOS 11.x and later for iPhones and iPads)
Mail app on Mac OS (macOS 10.14 Mojave and later)
Gmail app on Android (Android 10.0 and later)

Background

How does basic authentication work in Office 365?

With basic authentication, your email/calendar client (application) will transmit your username and password to Office 365 (Exchange Online). Office 365 will forward your credentials to UAlbany. UAlbany will verify the credentials and return a token to Office 365. If authentication was successful and the user is authorized, the email/calendar client will be connected to Office 365.

What is modern authentication?

If your email/calendar client uses modern authentication, your credentials are not sent to Office 365 (Exchange Online). Instead, you'll be redirected to the familiar UAlbany login screen. If your account is protected by 2-Step Login, you will be required to confirm your login. Your client may maintain a connection to Office 365 with an OAuth token, so you may not be required to log in each time you use the client.

Which clients require basic authentication?

Office 365 does not support modern authentication with IMAP, POP, and SMTP protocols. If you're using an IMAP client like Thunderbird or if you POP your email to Gmail, login is completed via basic authentication. Today, Office 365 allows for either basic or modern authentication with Exchange Web Services (EWS) and Exchange ActiveSync (EAS). Depending on support within your email/calendar client, you may be required to use basic authentication to use EWS or EAS.

How is basic authentication less secure than modern authentication?

Basic authentication in Office 365 is less secure for multiple reasons:

If your credentials (NetID username and password) are compromised, they can be used to access your mailbox or to send email from your account. Since basic authentication is not protected by multi-factor authentication, even those enrolled in 2-Step are at risk.
Even if an account is protected by 2-Step Login and all basic-auth capable protocols are disabled, Office 365 basic authentication can be used to verify usernames and passwords via credential stuffing, brute force and password spray attacks. If verified, then the credentials can be used to access other systems/services.

How long will Microsoft support basic authentication in Office 365?

Microsoft has already discontinued support for basic authentication with Outlook REST API. Microsoft has announced an end of support for basic authentication with EWS, EAS, POP, IMAP, and Remote PowerShell (RPS) in 2021. Support for basic authentication with Office 365 SMTP is expected to continue beyond 2020.

Microsoft's announcements:

askIT

Basic Authentication: What You Need to Know