Office 365 - Which clients/protocols will be supported?
"Office 365" refers to subscription plans that include access to Office applications plus other productivity services that are enabled over the Internet (cloud services). By default, all UW-Madison Office 365 users have access to email, calendar, and people. You can use many different clients to connect (via an email protocol) to your Office 365 account.
Table of Contents
- What is a client?
- What is an email protocol?
- What clients/protocols are supported by Office 365 Team?
- Under what other circumstances would these protocols be disabled for an existing account?
- Additional context for the security justification
- Important note about SMTP Auth
- Enable/Disable POP Protocol
- What happens if POP protocol is disabled?
- Reasons for disabling POP protocol
A client is an application that is used to connect to your Office 365 account. Some examples include Microsoft Outlook or Internet Explorer/Google Chrome.
Email protocol is a method by which a communication channel is established between two computers and email (some protocols also include calendar data) is transferred between them. When an email is transferred, a mail server and two computers are involved. One computer sends the mail and the other one receives it. The mail server stores the mail and lets the receiving device access it and download it if needed.
Even though Microsoft provides you with the ability to connect to your Office 365 account using a wide variety of clients/protocols, for the best experience and complete support, Microsoft recommends connecting through one of the following ways:
- via the Exchange protocol (MAPI) within most current version Outlook desktop client
- using the most current version of Outlook App for iOS/Android
- connecting to Outlook on the Web using one of the recommended/supported web browsers
- The POP protocol is disabled by default for any new Office 365 account (NetID or Service Account).
- Anyone may voluntarily toggle the POP protocol from the admin site, and the UW-Madison Office 365 team encourages people to only enable the POP protocol if they plan to use it.
- Any account that is found to be compromised by a malicious actor will have all protocols disabled to mitigate an ongoing incident. Default protocols are re-enabled when the account is re-enabled.
- Accounts managed by participating departments that mandate strict policies against the use of some protocols are unable to enable those protocols.
- Accounts that are undergoing deactivation.
Abuse of the email service by compromised NetID credentials is a very large and growing issue at UW-Madison. These credentials are used to access mailboxes, send out phishing to other people, and potentially exfiltrate sensitive email messages.
- Enabling password security for an Office 365 forces modern authentication to be used for all protocols. This helps prevent abuse by compromised account credentials. It also prevents Office 365 from being used for credential stuffing, brute force and other credential attacks.
- Disabling the POP protocol helps reduce the risk of accidental deletion of email and data exfiltration due to abuse via compromised credentials.
- If (and when) Multi-Factor Authentication (MFA) is available and enabled for an account, enabling password security is a way to ensure that malicious actors can’t bypass MFA by using a legacy protocol that isn’t compatible with MFA.
SMTP Auth is deprecated and is no longer supported. The Wisc Account Administration site will only show the status of this protocol for an account.
Individuals who had SMTP Auth enabled for their account before January 2019 can continue to use this protocol. If the protocol is disabled, it cannot be re-enabled.
What does this mean?
Microsoft has not stated that IMAP and POP functionality will end, so the UW-Madison Office 365 team believes that IMAP and POP will continue to function after 2020. However, based on conversations with our Microsoft partners, it is clear that they are advocating strongly for the deprecation of clients and protocols that aren’t capable of using Modern Authentication.
Modern Authentication is what enables enhanced security, in terms of password handling and Multi-Factor Authentication. Microsoft’s position, coupled with UW-Madison’s needs for enhanced security of credentials and authentication flows, means that the UW-Madison Office 365 team is taking the strategic position of encouraging people to use clients capable of Modern Authentication by default.
Are there any policy justifications for this change?
Yes. Some people configure Gmail (or other 3rd party services) to POP email out of their UW-Madison mailbox. This requires Gmail store the password in a decryptable format on their servers.
Technically, this is a violation of UW password policy, however we recognize that many people have been doing this for years, so that is why there are no plans to disable POP for existing accounts.
Important: Make sure you have reviewed the "Under what other circumstances would these protocols be disabled for an existing account" section above before proceeding to make changes to any of the protocols.
If you would like to enable/disable the POP protocol, use the following steps:
- Log into Wisc Account Administration site.
- Select the account you want to manage.
- Click on the "Office 365" tab in the left-hand column. It will be expanded.
- Click Client Protocols.
- Within the 'Client Protocols' screen, click on the desired action next to the POP protocol.
Note: If a protocol is disabled, the account cannot be used to connect to Office 365 via that protocol. It may take up to 24 hours for the change to be reflected within Office 365 infrastructure.
If POP protocol is disabled for an account, any client that attempts to connect via POP protocol to your Office 365 account will be unable to connect (some type of connection error). Below is a list of errors you may receive:
- Outlook on the web - browsers: "Something went wrong - The mailbox being access not have a valid account state ('ProtocolDisabled')"
- Outlook desktop: You may receive an encryption or connection error.
- Outlook for Android: You will receive a connection error.
- Outlook for iOS: You will receive a connection error.
- ActiveSync - native mobile mail/calendar clients: unable to verify account.
- EWS applications - used by developers via API code: unable to connect or verify account.
- IMAP - any mail client: unable to connect or verify account, or repeatedly prompted for account credentials.
- POP - any mail client: unable to connect or verify account, or repeatedly prompted for account credentials.
- UW SMTP Auth - sending mail via any client/process: error attempting to connect or unable to send message.
- Messages deleted via POP bypass the Deleted Items folder and cannot be recovered
- Departmental policy mandating that only certain protocols be used for security and/or compliance reasons
- Due to compliant with security policy - many SMPH customers have this policy assigned to their UW-Madison Office 365 account.