Modern Authentication Methods now needed to continue syncing Outlook Email in non-Microsoft email apps

Honestly, at this point if you haven't disabled app passwords and legacy authentication you're just asking for it.

I've got negative sympathy for maintaining old crap in the authentication game, if you can't have a process that uses modern authentication that process simply isn't supported anymore. Take that crap off the Internet where it belongs. But it needs the Internet? Too bad... go out of business.

The alternative is... well I was going to name and shame, but let me just say my Professional Services team, and NOC teams are all consumed by TWO customers right now because they failed to listen, got crypto'd their backups didn't exist, and both entities are sitting on a giant pile of Rob told us so...

So good news, the insurance valves are open and we're getting paid well. The bad news? This is a community college and a chain of medical clinics down so hard we can't even determine what data was exfiltrated. All backups destroyed, all data lost. Pay the ransom? Oh well! SUCKS TO BE YOU! Because decrypting encrypted virtual disks ALWAYS results in a damaged disk, which in turns consumes the files inside it, which are IN TURN ENCRYPTED. By the time you get done DOUBLE DECRYPTING YOUR CRAP, most of it is gone.

So again, it's not that I have zero sympathy, I have NEGATIVE sympathy. It's 2024, we've been at war for my entire career, the US is facing an ugly election cycle on top of a weakening economy, while Russia, India, and China's economies fail. Toss in sanctions and the black market and we have all the investment you can imagine to ensure 2024 is the worst year for cyberthreats to date. Mark my words, Q4 is going to suck! Because yes, these bastards know you want to take vacation over the holidays and you better believe they're going to hit the Friday before you leave!

And 99.99% of the risk can be remediated by simply utilizing M365 correctly, and configuring authentication properly. It's an action that takes ~20 hours to do well, fully custom, and in a way that doesn't blow up the SMB's processes. But yes, they will have to buy Business Premium or Entra ID P1 for all their accounts and actually spend a few dollars.

MFA for Admins! (No exceptions without a waiver)
MFA for Users! (Documented exceptions, with a waiver, and clearly defined rationale)
Disable Legacy Authentication (No exceptions without a waiver, hill to die on, fire the customer)
Secure Security Info Registration (No exceptions without a waiver, hill to die on, fire the customer)

These four Conditional Access policy templates are there at a click. They are the BARE SCRAPING MINIMUM. Deploy them, now! And don't call me... my heart can't take it anymore.
 
Last edited:
HCHTech said:
Hahahahaha. That made me LOL - I'm definitely stealing that turn of phrase! You are not wrong, btw.
Click to expand...
Yeah, but it still freaking hurts. In both cases the organizations paid the terrorists, got the decryptor... but the decrypted systems are still non-functional.

Some data was recovered, and in one case we were able to resurrect Active Directory, in the other... I got the email this morning... nope. I can't even get Metasploit | Mimikatz out and dump the database because we can't get a usable copy of NTDS.DIT anywhere!

Did I mention one of their "IT Guys", destroyed two recoverable DCs by wiping a RAID array to "get the server to reboot"?

So emotionally, I'm utterly spent this week on these two unrelated companies, lead by leadership suffering from the same ignorance, supported by internal IT teams of severely deficient skill, and... well... We'll get them back online, but we have to rebuild from scratch to do it. Have you ever distributed 30,000 student login and passwords in one go? We're about to...

Both companies got EXTREMELY LUCKY in the same way too...

The attackers disabled AD in such a brutal way, Entra ID Connect failed. If Entra ID Connect had been allowed to synchronize to M365, the CLOUD RESOURCES WOULD BE GONE TOO!

So we're just SSO'ing applications to live on Entra ID where possible to bring services back online in the proper cloud only way for now, but we still have to get AD online to get their door locks, surveillance, and call recording systems back online. Such a mess...

For some scale:
The medical clinic is ~10,000 users.
The school is ~50,000 users.

So if anyone thought that going into larger businesses will get you away from the stupidity... nope... just makes the messes bigger.

P.S. The M365 Licensing that supports the students at the school dies in two weeks.... we have THAT going on too.

Such... a bloody mess.
 
Last edited:
Sky-Knight said:
For some scale:
The medical clinic is ~10,000 users.
The school is ~50,000 users.

So if anyone thought that going into larger businesses will get you away from the stupidity... nope... just makes the messes bigger.
Click to expand...

Oh man - what a disaster. No way in hell I'd have the constitution to deal with such large organizations. My stomach gets queasy just thinking about it. I'm sure this topic will now show up in one of my Sisyphean nightmares, so thanks for that, haha.
 
HCHTech said:
No way in hell I'd have the constitution to deal with such large organizations.
Click to expand...

Same here. Having worked for a mid-size defense contractor as my first job in IT, one of the world's largest telecommunications companies for my second, as well as in schools and state agencies, I long ago decided that the problem is bureaucracy in any large organization. People who have no expertise constantly second guessing those who do, but conversely (with regard to IT in particular), those who believe that enforcement of a "one size fits all and it will be the size I want" policy is reasonable, ever.

Every rule, and there should generally be a lot of them, is bound to have an exception, and for genuine business needs. I don't care how upset you (generic you) who are in charge of IT assets are about having to grant exceptions - granting those on an as-needed basis is part of your damned job.

What I have to go through, over and over again, in order to get accessibility to be set up as required by the ADA would make many people's hair curl. And almost every bit of resistance comes in the form of, "But we don't do that for anybody!!" Simple response: So, I gather you have not needed to support employees with disabilities before who need assistive technology. Well, you do now, and the law requires you to make variances, as necessary, to support that. Now get on with it!

IT martinets are the worst kinds of martinets!
 
HCHTech said:
Oh man - what a disaster. No way in hell I'd have the constitution to deal with such large organizations. My stomach gets queasy just thinking about it. I'm sure this topic will now show up in one of my Sisyphean nightmares, so thanks for that, haha.
Click to expand...
I'm not alone, the team that's working these remediation is ~20 people. There is no way to do this alone!

Good news is, we think we've got a copy of ntds.dit, which will let us recover the LAPs logins, and Bitlocker keys.

Also good news, we think we've worked out the magic required to manage the local hardware with a greenfield AD, but that AD trusts Entra ID DS provided AD such that the Entra ID users can login to AD joined machines. Which will let us convert all the endpoints to native cloud managed, while also providing an "AD" that functions. The process eliminates the risk of Entra ID Connect, and moves a copy of this new AD into a position where this is literally impossible to happen again.

HUGE upgrade, but... still a massive mess! We've got ~5,000 endpoints to get booted, remote access into via the old tools (sort of working), so we can drop them off the old domain, join them to Entra ID, get them enrolled in Intune and then get the user's logging in via Entra ID. While that's in flight the entire access control system and everything else that was integrated with AD has to come online to the new AD that's being reworked from the ground up using new methodologies.

Oh... and classes started Monday. So....
 
Sky-Knight said:
Honestly, at this point if you haven't disabled app passwords and legacy authentication you're just asking for it.

I've got negative sympathy for maintaining old crap in the authentication game, if you can't have a process that uses modern authentication that process simply isn't supported anymore. Take that crap off the Internet where it belongs. But it needs the Internet? Too bad... go out of business.

The alternative is... well I was going to name and shame, but let me just say my Professional Services team, and NOC teams are all consumed by TWO customers right now because they failed to listen, got crypto'd their backups didn't exist, and both entities are sitting on a giant pile of Rob told us so...

So good news, the insurance valves are open and we're getting paid well. The bad news? This is a community college and a chain of medical clinics down so hard we can't even determine what data was exfiltrated. All backups destroyed, all data lost. Pay the ransom? Oh well! SUCKS TO BE YOU! Because decrypting encrypted virtual disks ALWAYS results in a damaged disk, which in turns consumes the files inside it, which are IN TURN ENCRYPTED. By the time you get done DOUBLE DECRYPTING YOUR CRAP, most of it is gone.

So again, it's not that I have zero sympathy, I have NEGATIVE sympathy. It's 2024, we've been at war for my entire career, the US is facing an ugly election cycle on top of a weakening economy, while Russia, India, and China's economies fail. Toss in sanctions and the black market and we have all the investment you can imagine to ensure 2024 is the worst year for cyberthreats to date. Mark my words, Q4 is going to suck! Because yes, these bastards know you want to take vacation over the holidays and you better believe they're going to hit the Friday before you leave!

And 99.99% of the risk can be remediated by simply utilizing M365 correctly, and configuring authentication properly. It's an action that takes ~20 hours to do well, fully custom, and in a way that doesn't blow up the SMB's processes. But yes, they will have to buy Business Premium or Entra ID P1 for all their accounts and actually spend a few dollars.

MFA for Admins! (No exceptions without a waiver)
MFA for Users! (Documented exceptions, with a waiver, and clearly defined rationale)
Disable Legacy Authentication (No exceptions without a waiver, hill to die on, fire the customer)
Secure Security Info Registration (No exceptions without a waiver, hill to die on, fire the customer)

These four Conditional Access policy templates are there at a click. They are the BARE SCRAPING MINIMUM. Deploy them, now! And don't call me... my heart can't take it anymore.
Click to expand...
Thats right tell us how you really feel...yikes. All true though. I do hope you are a bit calmer in front of the client though.

Sucks for them and especially you hammering home every time you see them that you should do this. and you should do that and then this happens.

Happened to me a few times. Every visit the first thing is the same thing I say. and then it happens then the look on their face when you say its too late.
 
dcomp12 said:
Thats right tell us how you really feel...yikes. All true though. I do hope you are a bit calmer in front of the client though.

Sucks for them and especially you hammering home every time you see them that you should do this. and you should do that and then this happens.

Happened to me a few times. Every visit the first thing is the same thing I say. and then it happens then the look on their face when you say its too late.
Click to expand...
Tis true! We've got a golden relationship and ultimate trust with the leadership of both of these organizations because we had proposals on their desks to solve these problems a year ago! A year and a half ago for the medical clinic.

But they didn't do anything... it's rather hard to be mad at your vendor when the vendor has been pointing out these issues for ages and you didn't act on it. The problem is... typically someone on the board winds up being the scapegoat, and afterward we've got higher than normal probability of churn.

There are no winners in these circumstances. Though we're in the best position possible.
 
I thought Microsoft already did this last winter....lemme check....

Googles up "When did Microsoft enforce flipping on Security Default in 365 tenants?"
First answer....March 11, 2024. //looks at calendar. Yup...Microsoft already did this for us.

Now...Security Defaults tickles quite a few settings in a 365 tenant, and one of them is...disabling basic auth.
learn.microsoft.com

Providing a default level of security in Microsoft Entra ID - Microsoft Entra

Get protected from common identity threats using Microsoft Entra security defaults.
learn.microsoft.com

So I'm kinda curious why this late June announcement..maybe it's now touching residential grade Outlook.com stuff? Which...I don't deal with in the least bit.

But for businesses, yeah...Microsoft had been announcing the "forced enabling" of security defaults since....way before this past March...and they played those war drums very loudly all last summer and fall. And any MSP worth their salt should have been flipping to conditional access by then anyways.....leaving security defaults for those uber cheap clients they don't give a rats arse about....certainly nothing on a managed plan anyways.
 
YeOldeStonecat said:
So I'm kinda curious why this late June announcement..maybe it's now touching residential grade Outlook.com stuff?
Click to expand...

It's about (almost) precisely what the title says, although it should be "Outlook.com (and other Microsoft email services)" rather than Outlook in that title.

Since it's about syncing MS email services with third-party email clients, it could be SMB and residential, but it's definitely way more about the residential market and those using email clients that don't natively support Exchange. There are untold millions who use third party clients to access MS email services via IMAP, and if they are using ancient email clients that required app-specific passwords, or are using a client like Thunderbird that supports modern authentication, but didn't set things up that way, they've got a couple of weeks of access remaining unless they take the necessary action.
 
You must log in or register to reply here.

Similar threads

callthatgirl
How to use Rules in New Outlook vs Outlook Classic
2
Replies
31
Views
518
callthatgirl
callthatgirl
thecomputerguy
OK how do I just STOP NEW OUTLOOK alltogether?
2
Replies
22
Views
829
Sky-Knight
Sky-Knight
callthatgirl
How to Import Contacts into New Outlook
Replies
0
Views
135
callthatgirl
callthatgirl
britechguy
Accessing a Windows 11 Computer with a Microsoft Account Linked Windows Account After the Owner's Death
Replies
16
Views
1K
fincoder
fincoder
britechguy
Microsoft is simply never going to learn you can't name everything "Outlook" and . . .
Replies
7
Views
511
SAFCasper
SAFCasper
Back
Top