Don’t Leave Holes in Your Office 365 Security Strategy

Don’t Leave Holes in Your Office 365 Security Strategy

This post was originally published on this site ---

Secure every access point to Microsoft Office 365 emails and data with VMware Workspace ONE.

If your organization is like most, you’re either using Microsoft Office 365 or thinking about an Office 365 implementation. Since the data and email in Office 365 are vital to your business, you’ve probably thought through how to protect Office 365 with application access control policies. You need to ensure, however, that your policies protect all apps with access to Office 365.

Imagine that one of your end users goes to visit family for the holidays. While at her parent’s house, she borrows her father’s laptop to check work emails. Although you require multi-factor authentication (MFA) for access to Office 365, she logs into Outlook 2010 using nothing more than a username and password. Outlook downloads her mailbox, she checks her email, and after a few days, she returns home.

All her emails, however, stay on the laptop. That data is out of her control and out of IT’s control, creating data loss risks if the laptop is sold, lost or compromised with malware. How did your user (unwittingly) bypass your conditional access rules, and what can you do to protect your data and email?

In this blog post, we’ll cover how this data leak occurred, and how VMware Workspace ONE allows you to avoid similar Office 365 data losses and security holes.

Applying Access Policies to Office 365 Authentication Methods

To understand how your user bypassed your MFA requirement, you have to understand that Office 365 supports two ways to log users in: Modern authentication and legacy username/password authentication. In the example above, your user logged in with a legacy username/password client, accidentally bypassing the policies you created to protect Office 365.

To control access to Office 365 emails and data no matter what client your user chooses, you need a solution such as Workspace ONE that protects both authentication methods. Although many Office 365 client apps use newer modern authentication, older Office 365 apps, Android and iOS native mail (using ActiveSync), and third-party Office 365 apps (such as Thunderbird) use legacy username/password authentication.

Protecting both authentication types is vital for most organizations. Workspace ONE controls access to Office 365 no matter which client app a user chooses with policies based on group, network range, device type or OS and more.

Modern vs. Legacy Authentication

Here’s how to tell the difference Office 365 modern authentication and legacy username/password authentication:

Modern Authentication

If the end user is redirected to an IDP in a browser, it’s modern authentication.

Microsoft modern authentication redirects the end user in a browser from the Office 365 app to an identity provider (IdP), such as Workspace ONE, to authenticate. Modern authentication takes advantage of Microsoft’s Azure Active Directory Authentication Libraries (ADAL). For more details on modern authentication, see Microsoft’s summary here.


This is modern authentication. The user is redirected to Workspace ONE in a browser.

Legacy Authentication

If the end user enters credentials into the client’s UI (and there’s no redirection to an IDP), it’s legacy username/password authentication.

In username/password authentication, the Office 365 client collects a username and password in its own UI (rather than sending the user to an IDP in a browser). Because the user enters their credentials into the client rather than using standard browser single sign-on (SSO), legacy username/password authentication doesn’t support advanced features such as MFA or VMware mobile SSO. Microsoft sometimes calls legacy username/password authentication by a more specific name such as basic authentication or the Microsoft Online Services Sign-In Assistant.


This is legacy username/password authentication. The user enters credentials directly into the client UI—there’s no browser redirect to Workspace ONE or another IDP.

Many identity solutions can only protect access to Office 365 for clients using modern authentication. Workspace ONE protects access to Office 365 without requiring additional products or servers, no matter what client a user chooses.

Use Cases for Controlling Access to Office 365

Because modern authentication supports MFA, certificate authentication, VMware mobile SSO and all other standard authentication features of Workspace ONE, organizations have fine-grained control over how they allow access for Office 365 clients using modern authentication.

Controlling legacy username/password clients, on the other hand, is tricky. Because legacy username/password clients only support one authentication method (username and password), organizations can’t rely on the enhanced security of MFA, VMware mobile SSO or other authentication features. Instead, many organizations take the following approaches:

  • Allow legacy username/password access to Office 365 for mobile email only. In this approach, an organization could block legacy username/password access to Office 365 apps and data for all apps and add an exception for native mobile email clients that use Exchange ActiveSync. This approach works well with the mobile email management features in Workspace ONE. Many organizations choose this path because Exchange ActiveSync clients don’t download the user’s entire mailbox, reducing the risk of data loss. Your organization can also choose to limit mobile email access to the extra-secure VMware Boxer app.



  • Allow legacy username/password access to Office 365 only under more secure conditions. Because legacy username/password clients such as Thunderbird or older versions of Office don’t support MFA, some organizations want to limit these clients to only connect to Office 365 under more secure circumstances. For example, you might only allow Thunderbird on your corporate network to ensure users are not downloading their mailboxes on multiple computers. This approach can reduce the risk of data loss.
  • Allow legacy username/password access only for specific users or groups. Organizations may want to limit which users can connect to Office 365. For example, IT could block retail employees from accessing mobile email while they are offsite.
  • Block all access to Office 365 for username/password clients. Some organizations want to ensure all users access Office 365 with MFA, mobile SSO or other secure methods. Because modern authentication supports these methods but legacy username/password authentication does not, these organizations should block username/password client apps. Users will still be able to access Office 365 through Office 2016 apps (or Office 2013 apps, if they are configured correctly).

Workspace ONE & Office 365

Workspace ONE makes securing and deploying Office 365 easier, with industry-leading enterprise mobility management (EMM) to keep your devices and users safe. Learn more about how Workspace ONE protects Office 365, while providing end users with consumer-level ease of use. Visit, or contact your VMware account representative for more details.

Because you liked this post:

The post Don’t Leave Holes in Your Office 365 Security Strategy appeared first on VMware End-User Computing Blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.