Delegate365-Goodbye, Basic Authentication
Wednesday, October 21, 2020
Delegate365 provides a toolbox for easy management of a Microsoft 365 tenant. Management ranges from Exchange Online to Azure AD, SharePoint Online, Reporting and Intune. Delegate365 communicates with the Microsoft 365 services via apps and Modern Authentication, wherever possible. However, a service account had to be used for some Exchange features and the multi-factor authentication management. This will change with the next versions.
Some M365 background information
So far, some Microsoft services such as Exchange Online (EXO) could only be reached with Basic Authentication, while other (new) services such as Microsoft Graph can be used with an app. Basic Authentication relies on sending usernames and passwords with every request increasing risk of attackers capturing users´ credentials. Therefore, Microsoft recommends that you stop using Basic Authentication. Basic Authentication is superseded by Modern Authentication based on OAuth 2.0 that is supported for the new Microsoft 365 services.
Microsoft has announced that it will disable authorization with Basic Authentication for Exchange Online. The only problem for third party tools like Delegate365 is, that Microsoft (still) does not offer an API with modern authentication for EXO administration. They just deliver a new (and faster) Exchange Online PowerShell v2 module - instead of the Remote Exchange PowerShell module - that, at least, supports Modern Authentication with an app and a certificate. So let's take that.
To make it short: Delegate365 takes this into account and will therefore access Exchange Online differently. Basic Authentication will no longer be required in near future.
How Delegate365 communicates with an M365 tenant
When the Delegate365 setup is executed, the setup creates two Delegate365 apps in the Microsoft 365 tenant and automatically removes eventually existing older apps. Delegate365 is using these apps to transfer data to the tenant. Around 90% of all operations are performed through these apps. This also applies to access SharePoint Online. For the rest of the operations, Delegate365 currently requires a service account since Microsoft does not provide an API to access EXO and MFA services with an app. This will change as described below.
Delegate365 versions using a service account
Currently (up to Delegate365 v9.2), Delegate365 is using - next to the apps - a service account for accessing a small number of services. This applies to some operations in Exchange Online and for Multi-Factor Authentication (MFA) operations. The service account can be changed anytime in the Administration / Microsoft 365 account menu. MFA cannot be enabled for this service account, but it can use a password of up to 150 characters or an app password. Customers using MFA, need to make an exceptions for such service accounts for Delegate365 and other background tasks (cron-jobs, etc.) if they are using Conditional Access policies in their tenant.
The service account can then be used by Delegate365 to connect to the Microsoft legacy interfaces.
Note: If Basic Authentication is deactivated in an M365 tenant (see here) or no valid service account is saved, some Exchange functions and MFA will not work in Delegate365. But the rest in Delegate365 still does.
How to use a service account with MFA
As of today, there is a workaround available: Create a service account without MFA, run the Delegate365 setup, activate MFA, enable app passwords, create an app password, and use the app password in Delegate365. See details about the process at the article Delegate365 - Secure and setup your tenant. This workaround will no longer be required with Delegate365 v9.3.
What will change in the Delegate365 setup
To move forward and comply with security policies, Delegate365 v9.3 will no longer require a service account. This means, the setup process for Delegate365 will change as well. The goal is that Basic Authentication can be turned off in the M365 tenant. All operations accessing Exchange Online will be using the latest (currently in preview) EXO v2 module and the Delegate365 app for sending emails. MFA functions are removed (see below).
The new Delegate365 setup tool
With MFA: Administrators can download a Delegate365 setup tool to run the setup task in the next versions. The tool will allow a Global Admin - with MFA enabled - to sign-in interactively and asks for the required Delegate365 parameters on the local computer. The tool then communicates with the Azure AD and creates the apps, and generates a certificate .pbx file and a .json setup configuration file. This information can be uploaded into the new Delegate365 app settings. Then, Delegate365 will use the generated certificate and the app data to access the M365 tenant and all the services.
Without MFA: Alternatively, a Delegate365 service account can be used in the web interface as before, but no MFA must be activated. The setup asks for the service account and for additional parameters (as requested by the new Delegate365 setup tool). As long as no MFA is used, there is no need to use the new setup tool (but it can be used).
The Administrator / Microsoft 365 service account menu will be changed into App settings and allow to upload the generated files or to paste the app data and to modify each setting as well. Existing configuration will be updated and missing entries must be added then. The module will also allow to download the Delegate365 configuration to store the files in a safe place or for documentation. The new setup process and the interface will be described in an extra article when ready.
What will change in the Delegate365: No more MFA functions
This is associated with low costs: Since there is no longer a service account existing, MFA operations will no longer be accessible in Delegate365, as Microsoft does not provide an API for this currently. So, the MFA function in the Users menu will be removed.
Furthermore, the MFA sync rule section will be removed. If this settings was active, after the update to Delegate365 v9.3, this section will no longer be visible and has no effect.
Instead of using these MFA functions, Microsoft recommends to configure Conditional Access, see more here. Just remember, Conditional Access requires an Azure AD Premium P1 license.
The rest of the Delegate365 functionality remains unchanged.
Vote for the MFA API
Microsoft is still in the process to deliver MFA management functionality with the Graph API. We are waiting for that feature. You can support this request at microsoftgraph.uservoice.com. Vote for it! As soon as this API is available, we are happy to reintegrate the MFA functions into Delegate365 again.
With this article we would like to give you advance information about the next steps in Delegate365. At the end of October, we will announce the new features of Delegate365 v9.2. The v9.2 update is planned for mid-November. We plan to release Delegate365 v9.3 with the new setup as indicated here in December.