Changes to Office 365 Email Authentication

May 6th 2022, TrueChem version 22.5.1

Recent policy and configuration changes by Microsoft have made it difficult for some software to connect to Office 365 and send email using the traditional authentication methods. TrueChem is not exempt from these new policies and Microsoft may be forcing you to make changes on your end in order for TrueChem and other software\devices to connect and send email.

We hope this document will help explain why this is happening and give some advice on steps you can take to comply with the new requirements.

These changes must be performed by your Office 365 Administrator. TrueLogic is not your Office 365 Administrator and does not have the permissions to make these change for you. The rest of this document are technical instructions to help your Office 365 Administrator make the necessary changes.

Understanding SMTP AUTH

SMTP AUTH has been the traditional method for authenticating with a SMTP server for a few decades. This method sends the user name and password to the server. Once authenticated, the program can then submit email messages for delivery to the recipients. It’s a system that is easy to setup, manage, and understand.

Over time, slight changes have been made to the SMTP AUTH protocol, primarily to enhance security by using TLS. TLS is the successor to SSL and encrypts the traffic to and from your SMTP server.

Understanding "Modern Authentication"

In 2020, Microsoft added "Modern Authentication" to Office 365 via OAuth 2.0. OAuth uses a token\secret instead of a user\password. The token based authentication has two primary benefits: Granular permissions can be assigned to the token so you can expose specific rights and functionality and the tokens can be revoked.

When user\passwords are compromised, the attacker has control of everything the user has access to. When tokens\secrets are compromised, the attacker only has control over the things the token has access to. In the event of a security incident, the token can be revoked which cuts off its access without affecting the user’s account or other tokens assigned to that account.

From a security standpoint, “Modern Authentication” is the superior choice, but it does add a layer of complexity when managing tokens and token permissions. Microsoft recommends moving from SMTP AUTH to Modern Authentication now.

In March of 2022 Microsoft announced that BASIC AUTH will be permanently terminated October 1, 2022 in favor of Modern Authentication. Note that BASIC AUTH and SMTP AUTH are two different things. BASIC AUTH grants access to other parts of the Microsoft ecosystem using a user\password while SMTP AUTH grants SMTP access. SMTP AUTH will NOT be disabled when BASIC AUTH is disabled. But we do not know if or when SMTP AUTH will be disabled in the future.

Problems and Solutions to common SMTP AUTH issues

Microsoft is recommending a switch from SMTP AUTH to "Modern Authentication” and is also taking steps to prevent connections using SMTP AUTH. You may be able to re-enable SMTP AUTH for the Tenant:

1. Microsoft is forcing clients to use TLS 1.2 by default (read more here).
   SOLUTION: Update to TrueChem v22.5.1 or higher which includes support for TLS 1.2. If you cannot update TrueChem you can also opt in to a Legacy Endpoint (read more here). You can also try one of the Alternative Solutions listed in the next section.
2. Microsoft is turning off SMTP AUTH for all Tenants where it has not detected any previous SMTP AUTH traffic (read more here).
   SOLUTION: Enable SMTP AUTH for the Tenant or for the mailbox used to authenticate.
3. Microsoft disables SMTP AUTH if you have enabled "Security Defaults" and new Tenants have "Security Defaults" enabled by default (read more here).
   SOLUTION: You will NOT be able to use SMTP AUTH if you are using "Security Defaults". These "Security Defaults" are a predefined set of options that allow Administrators to quickly enable basic security best practices (read more here).
4. Microsoft doesn't recommend using SMTP AUTH (read more here). Microsoft recommends "Modern Authentication".
   SOLUTION: Microsoft recommends using "Modern Authentication". TrueChem v22.5.1 and higher supports Modern Authentication with OAuth 2.0.

Alternative Solutions

These policy changes affect any device in your organization that sends email via SMTP and SMTP AUTH (scanners, multifunction printers, etc) and other Software that also sends via SMTP and SMTP AUTH (alerts, event warnings, activity reports, logs, etc). If these programs\devices cannot be updated to support TLS 1.2 or Modern Authentication, There are a few options:

• Opt-in to the Legacy Endpoint (read more here). Please note: The lifecycle of the Legacy Endpoint is not known at this time. It is also not know how future changes to Office 365 may affect the ability to use the Legacy Endpoint
• SMTP client submission, Direct Send, or SMTP Relay (read more here)

You may already have one of these solutions setup in your oganization or you might need to use one of these solutions for software and devices that cannot be updated to use TLS 1.2

Using Modern Authentication in TrueChem

Learn how to setup Modern Authentication here