Office 365 - Which clients/protocols will be supported?
"Office 365" refers to subscription plans that include access to Office applications plus other productivity services that are enabled over the Internet (cloud services). By default, all UW-Madison Office 365 users have access to email, calendar, and people. You can use many different clients to connect (via an email protocol) to your Office 365 account.
Table of Contents
- What is a client?
- What is an email protocol?
- What clients/protocols are supported by Office 365 Team?
- Under what other circumstances would these protocols be disabled for an existing account?
- Additional context for the security justification
- Important note about SMTP Auth
- Does Microsoft plan to end support for IMAP and POP?
- Enable/Disable Protocol
- What happens if a protocol is disabled?
- Reasons for disabling a protocol
A client is an application that is used to connect to your Office 365 account. Some examples include Microsoft Outlook or Internet Explorer/Google Chrome.
Email protocol is a method by which a communication channel is established between two computers and email (some protocols also include calendar data) is transferred between them. When an email is transferred, a mail server and two computers are involved. One computer sends the mail and the other one receives it. The mail server stores the mail and lets the receiving device access it and download it if needed.
Even though Microsoft provides you with the ability to connect to your Office 365 account using a wide variety of clients/protocols, for the best experience and complete support, Microsoft recommends connecting through one of the following ways:
- via the Exchange protocol (MAPI) within most current version Outlook desktop client
- using the most current version of Outlook App for iOS/Android
- connecting to Outlook on the Web using one of the recommended/supported web browsers
- ActiveSync/IMAP/POP/SMTP Auth protocols are disabled by default for any new Office 365 account (NetID or Service Account).
- Anyone may voluntarily toggle these protocols from the admin site, and the UW-Madison Office 365 team encourages people to voluntarily disable protocols they aren’t using.
- Over the winter of 2017/2018, ActiveSync/IMAP/POP/SMTP Auth protocols were disabled for accounts that had not connected within the previous six months via these protocols.
- Any account that is found to be compromised by a malicious actor may also have these protocols disabled to mitigate an ongoing incident.
- Accounts that are managed by participating departments who mandate strict policies against the use of legacy protocols.
Abuse of the email service by compromised NetID credentials is a very large and growing issue at UW-Madison. These credentials are used to access mailboxes, send out phishing to other people, and potentially exfiltrate sensitive email messages.
- Disabling unnecessary protocol access to accounts makes it more difficult for malicious actors to automatically test the validity of passwords obtained from phishing and 3rd party password database dumps.
- Reducing the number of protocols that can be used to export data from a mailbox will help reduce the risk of data exfiltration due to abuse via compromised credentials.
- If (and when) Multi-Factor Authentication (MFA) is available and enabled for an account, disabling these non-legacy protocols is a way to ensure that malicious actors can’t bypass MFA by using a legacy protocol that isn’t compatible with MFA.
Additional context for the support justification:
Some people accidentally configure a client that “POPs” messages out of their account. This change would be a safeguard against that occurrence.
SMTP Auth is deprecated and is no longer supported. The Wisc Account Administration site will only show the status of this protocol for an account.
Individuals who had SMTP Auth enabled for their account before January 2019 can continue to use this protocol. If the protocol is disabled, it cannot be reenabled.
Probably not anytime soon, but there are caveats.
According to Microsoft: Office 365 system requirements changes for Office client connectivity
“Effective October 13th, 2020, Office 365 will only allow Office client connectivity from subscription clients (Office 365 ProPlus) or Office perpetual clients within mainstream support to connect to Office 365 services.”
What does this mean?
Microsoft has not stated that IMAP and POP functionality will end, so the UW-Madison Office 365 team believes that IMAP and POP will continue to function after 2020. However, based on conversations with our Microsoft partners, it is clear that they are advocating strongly for the deprecation of clients and protocols that aren’t capable of using Modern Authentication.
Modern Authentication is what enables enhanced security, in terms of password handling and Multi-Factor Authentication. Microsoft’s position, coupled with UW-Madison’s needs for enhanced security of credentials and authentication flows, means that the UW-Madison Office 365 team is taking the strategic position of encouraging people to use clients capable of Modern Authentication by default.
Are there any policy justifications for this change?
Yes. Some people configure Gmail (or other 3rd party services) to POP email out of their UW-Madison mailbox. This requires Gmail store the password in a decryptable format on their servers.
Technically, this is a violation of UW password policy, however we recognize that many people have been doing this for years, so that is why there are no plans to disable POP for existing accounts.
If you would like to enable/disable a protocol, use the following steps:
- Log into Wisc Account Administration site.
- Select the account you want to manage.
- Click on the "Office 365" tab in the left-hand column. It will be expanded.
- Click Client Protocols.
- Within the 'Client Protocols' screen, click on the desired action next to the protocol you want to manage.
Note: If a protocol is disabled, the account cannot be used to connect to Office 365 via that protocol. For example, if you only want a student to use Outlook on the web and Outlook 2016, OWA and MAPI are the only protocols that need to be enabled. It may take up to 24 hours for the change to be reflected within Office 365 infrastructure.
If a protocol is disabled for an account, any client that attempts to connect via the disabled protocol to your Office 365 account will be unable to connect (some type of connection error). Below is a list of errors you may receive:
- Outlook on the web - browsers: "Something went wrong - The mailbox being access not have a valid account state ('ProtocolDisabled')"
- Outlook desktop: You may receive an encryption or connection error.
- Outlook for Android: You will receive a connection error.
- Outlook for iOS: You will receive a connection error.
- ActiveSync - native mobile mail/calendar clients: unable to verify account.
- EWS applications - used by developers via API code: unable to connect or verify account.
- IMAP - any mail client: unable to connect or verify account, or repeatedly prompted for account credentials.
- POP - any mail client: unable to connect or verify account, or repeatedly prompted for account credentials.
- UW SMTP Auth - sending mail via any client/process: error attempting to connect or unable to send message.
- Messages deleted via POP and IMAP bypass the Deleted Items folder and cannot be recovered
- Departmental policy mandating that only certain protocols be used for security and/or compliance reasons
- Principle of least privilege: by enabling only the protocols that you use to access your account, there is reduced risk of undesired access
- Due to compliant with security policy - many SMPH customers have this policy assigned to their UW-Madison Office 365 account.