Overview
In the fall of 2022, Microsoft will be requiring all connections to Microsoft 365 use "modern authentication" in place of the outdated "basic authentication" that was previously the industry standard. This change is being implemented to provide increased security for Microsoft 365 (Texas A&M Exchange) accounts. Modern authentication is already available for Texas A&M University Exchange accounts, but some email clients may still be using basic authentication without issue. We recommend re-configuring your email client to use modern authentication as soon as you are able.
What are basic and modern authentication?
At their core, both basic and modern authentication authenticate you to your email server using your NetID and password, though the specific way each accomplishes this is different. Of the two, modern authentication is more secure.
Basic authentication
In basic authentication, your email client sends your username and password to Microsoft 365. Microsoft 365 then forwards your username and password to TAMU's login service. The login service verifies your credentials and returns an authentication token to Microsoft 365. If the authentication was successful, your email client will then be connected to Microsoft 365.
Modern authentication
In modern authentication, your username and password are not sent to Microsoft 365. Instead, you are directly taken to the TAMU login page (CAS). After entering your NetID and password, you will verify your login using NetID Two-Factor Authentication (Duo).
Modern authentication is based on the Active Directory Authentication Library (ADAL) and OAuth 2.0 (a more technical description of OAuth 2.0 can be found on the OAuth website). Using OAuth 2.0 tokens means that your mail client may not need you to use your username and password each time you use the client.
Why basic authentication is less secure
There are two primary reasons why basic authentication is less secure than modern authentication.
- Basic authentication is not protected by two-factor authentication (Duo), so compromised credentials can be used to access your email and send email from your account.
- Basic authentication can be used to verify username and password combinations through techniques such as credential stuffing, brute force, and password spray attacks. If one of these techniques is successful, then the credentials can be used to access other systems.
What mail clients support modern authentication?
Download links for some common mail clients that support modern authentication are listed below. Even though these mail clients support modern authentication, they may currently be using basic authentication. Instructions to verify that your mail client is configured to use modern authentication are in the next section.
| |
Windows |
macOS |
iOS |
Android |
Linux |
| Gmail |
No |
No |
No |
Y 3 |
No
|
| macOS/iOS Mail |
No |
Y |
Y 1 |
No |
No
|
| Outlook |
Y |
Y |
Y |
Y |
No
|
| Outlook for the Web |
Y |
Y |
Y |
Y |
Y
|
| Thunderbird |
Y 2 |
Y 2 |
No |
No |
Y 2
|
| Windows Mail |
Y |
No |
No |
No |
No
|
- For iOS native mail client:If you receive an email stating that your email access has been blocked, the iOS mail client is still using basic authentication. To resolve this issue, remove the account and re-add it using our instructions. YOU MUST choose the "Sign In" option and NOT "Configure Manually."
- Thunderbird version 77.0b1 or later supports modern authentication. Earlier versions do not.
- Gmail only supports modern authentication on Android version 8.0 and greater.
How do I reconfigure my email client to use modern authentication for Exchange?
The easiest way to reconfigure your client and verify it is using modern authentication is to remove your Texas A&M email account from your device and then re-add it.
Instructions for the most common email clients are below.
Can I use modern authentication on email clients that use legacy protocols?
Microsoft supports authentication to Microsoft 365 with legacy protocols such as IMAP, POP, and SMTP. Clients supporting OAuth 2.0 should be able to connect to Microsoft 365; however, support for OAuth 2.0 with Microsoft 365 is entirely dependent upon the client developer. Just because a client supports OAuth 2.0 does not necessarily mean that it will connect to Microsoft 365 using OAuth 2.0. Configuring clients to use OAuth 2.0 with a legacy protocol will be unique for each client.
FAQ
Why am I receiving a message that my email access has been blocked?
If you see a message like the one below stating, "Your email access has been blocked," it means your department has turned off the option to use Basic Authentication and your mail client is not using Modern Authentication. Re-configuring your email client to use Modern Authentication using the instructions above will allow you to access your email.
What does the device code Apple-iPhone10C2/1902.74 (or similar) in the email I received mean?
These codes are generated by the Exchange ActiveSync connection process and can be used to identify the specific model of iPhone and what version of iOS was used to make a connection. A list of codes can be found on our documentation on iPhone model and OS codes. Knowing which device of yours is still using Basic Authentication can help you determine which devices specifically need updating. For example if you have an iPhone and two iPads, but only have the code Apple-iPad5C1/1806.72, then you know that the device that needs updating is an iPad Mini 4 running iOS 14.6.
When I set up my email, why am I told that the Exchange administrator can remotely manage my device or erase it?
When connecting to your Texas A&M Microsoft 365 account, you may see various messages that you are giving your Exchange administrators the ability to manage your device.
Texas A&M does NOT manage personal devices, including applying software policies or wiping data from a personal device.
Additional information on these messages can be found in our knowledge base article on personal device management.