Nexus365: An end to Basic Authentication support.

Executive Summary

From 13th October 2020 Microsoft will discontinue support for Basic Authentication for EWS, EAS, IMAP, POP and RPS. This does not (currently) impact SMTP AUTH. Only applications which use secure authentication technologies, such as OAuth 2.0, will continue to work.

Details

In just over one year’s time Microsoft will end support for Basic Authentication. This method of logging in is very simple, and widely supported, but makes it far too simple for someone malicious to intercept your credentials. Quite simply it’s no longer good enough. Microsoft want all users of their service – which includes all Oxford University staff and students – to switch to ‘Modern Authentication’ technologies before October 2020. These use OAuth 2.0 token-based authentication which are more secure because they are application-specific and time-limited, and can’t therefore be re-used.
For message sending you can continue to use Basic Authentication in SMTP AUTH, for the foreseeable future, but we would urge you to seek a more secure alternative if possible.

Impact

POP/IMAP
It is likely that many POP/IMAP clients will be affected. Microsoft will be adding support for OAth to both POP3 and IMAP4 services over the next few months so you should update to a client that supports Modern Authentication as soon as possible.
ActiveSync
Most mobile devices will be connecting via the ActiveSync protocol. Microsoft’s advice is to switch to Outlook Mobile, although there are other applications which also support Modern Authentication if you prefer a non-Microsoft client.
Mobile devices can also access Nexus365 via https://outlook.office365.com/, which will detect a mobile device and reformat the screen appropriately to enable small-screen viewing.
Posted in Uncategorized | Leave a comment

Nexus365 Teams: now with guest access

We are pleased to announce that it is now possible to add almost anyone to a Nexus365 team. All that is required is for the individual you wish to add to your team to have a valid email address and a Microsoft account. If they don’t yet have a Microsoft account they will be prompted to create one (free). This Microsoft account will always remain separate from and unrelated to the Nexus service.

How to add a guest to a Team

These are the steps a team owner needs to follow in order to add a guest to their Nexus365 team:

  1. From within the Teams app, the owner needs to select ‘Add member’ as shown below.
    :

 

 

 

 

 

 

2. In the ‘add members’ dialogue box you can now enter any valid email address – you are no longer limited just to Nexus365 user accounts:

 

 

 

 

3. Once you’ve added the email address an email is sent immediately to that address to notify the person that they’ve been added to the team. The link will open the Teams web app by default but will also provide a download link to the full Teams client software, if it’s available for their operating system:

 

 

 

 

4. If they already have an account with Microsoft associated with their email address, they’ll be prompted to log in. If not they will be asked to create an account with Microsoft:

 

 

 

 

 

 

 

5. The final step before they are granted access to the team is for them to review and accept the access permissions that Nexus will request in order to give them access to the team’s content.

 

 

 

 

 

 

 

 

Team owners can review the status of prospective members by checking the ‘source’ column when looking at their team’s members.

  • ‘Azure Active Directory’ is a Nexus365 user.
  • ‘External Azure Active Directory’ is someone from another organisation who also uses Office 365, which includes the Said Business School members.
  • ‘Invited user’ is an external email address for whom access has not yet been given, but they have been sent the team membership email.
  • ‘Microsoft account’ is an external email address to which access to the team has been granted.

Notes and queries

  1. It is not possible to remove a team, or the last owner of one, while guest accounts are still members of one. This is to ensure that there are no teams to which only external people have access.
  2. Guests can view the team’s membership but not amend it.
  3. Removing a guest from a team revokes their access instantaneously. If logged in at the time, their window will go blank.
  4. Reinstating a guest’s access is also instantaneous.
  5. Guests are unable to send email to the team’s email address.
  6. The maximum ratio is five guests per full team member.

 

Posted in Uncategorized | Leave a comment

Teams toolbar transition

Microsoft are redesigning the Teams interface to introduce a single toolbar for the controls used in meetings and when calling. The rollout will begin in early June and will continue until the end of August 2019.

The intention is to improve discoverability and reduce clutter for users in meetings and calls by unifying session controls to a single toolbar at the bottom of the screen. This change will affect Windows, Mac, and web clients. There will be no impact for mobile or Microsoft Teams Rooms (MTR) devices.

Posted in Uncategorized | Leave a comment

Nexus365 Teams on Linux

Nexus365’s TEAMS application has, to date, been predominantly targeted at the Windows desktop. Other operating systems have had access to limited functionality via a web browser but the inability to video-conference, share desktops or applications, or to give presentations has limited the usefullness of the feature for Linux users.

Forcing users to boot a Windows VM simply for a meeting, to send emails, or to collaborate with colleague is far from an ideal solution. Things are, thankfully, improving. There is yet to be an official Teams client for Linux but in the interim additional functionality is now available, albeit with some preparatory effort.

By using a Chromium -based browser, tweaking a few settings , and installing a single browser extension, you can achieve near-parity with the full Windows Teams client. This will allow in-private video calls, presentations, and other functions not previously possible for Linux users.

This should be considered as a beta, or a work-in-progress, rather than a permanent well-tested solution. Microsoft are asking the Linux community to feed back and are promising to make further updates based on those responses.

What do I have to do?

  1. Ensure you have either Chrome for Linux, or a Chromium for Linux browser.
  2. Install the following extension from the Google Webstore: User Agent Switcher for Chrome.
  3. Add one or both of the following user agent strings to the “User Agent Switcher for Chrome”. This will allow you to switch to the desired one that works for your system:
    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134
    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393X
  4. Click the User Agent Switcher and choose your Edge browser string. This should remain selected until you change it to something else or back to the browser default.
  5. Open the Chrome browser, in the address bar type Chrome://flags and hit the Enter key. In the search box provided, search for each of the settings below. Set each one to ENABLED:
    Hardware Acceleration
    – Override software rendering list: ENABLED
    PWA
    – Enable PWA full code cache: ENABLED
    – Desktop PWAs: ENABLED
    – Desktop PWAs Link Capturing: ENABLED
    WEBRTC
    – Negotiation with GCM cipher suites for SRTP in WebRTC: ENABLED
    – Negotiation with encrypted header extensions for SRTP in WebRTC: ENABLED
    – WebRTC Stun origin header: ENABLED
    – WebRTC Echo Canceller 3: ENABLED
    – WebRTC new encode cpu load estimator: ENABLED
    – WebRTC H.264 software video encoder/decoder: ENABLED
    Downloads
    – Parallel downloading: ENABLED
  6. Verify that those settings work:
    – Open Microsoft Teams in your browser.
    – Start a private chat with someone and verify that the video chat icon switches from grey to purple and white. If so, you can start making video calls and you should also be able to make a presentation.

These same settings should also enable the same functionality on other operating systems, although naturally those cannot be assumed to have received any testing.

Known issues

While you can use the EDGE UA to participate in Conference calls it may cause issues with not displaying the most current posts in a TEAMS channel. So you may have to switch between the EDGE UA and the browser default UA.

Posted in Uncategorized | Leave a comment

Skype / Teams ‘background blur’

Microsoft have just introduced a new feature to video calls made within Skype for Business and Teams: a ‘background blur’ feature that means you don’t have to think quite so much about tidying up your surroundings before joining that call.

The process using artificial intelligence to identify the person making the call, keeping you in focus, while blurring the background. It’s therefore not perfect and it is possible to confuse the software – it won’t always work. Microsoft are at pains to point out that you can’t rely on background blur to hide confidential information that may be nearby.

Accidentally broadcasting wifi password on TV

But it might have helped the organisers of America’s Superbowl a few years ago from telling the whole world their wifi password…

At this stage the idea of background blur is really just a bit of a gimmick but it does indicate an interesting new real-world example of how AI technology is being developed in new directions.

Here’s how to try out the feature:

How to enable background blur in Teams

Before calling

Before a call use the option below ‘join now’

Add blur during a call

Turning blur on during a call…

 

 

 

 

 

 

 

 

 

 

 

How to enable background blur in Skype

 

 

 

 

Posted in Uncategorized | Leave a comment

New mobile Outlook

Microsoft will soon be rolling out a new feature within Outlook for iOS and Android which adds a new mailtip or notification when composing messages. The intention behind this feature is to reduce the risk of sensitive information being inadvertently sent to external email recipients.

What’s changing?
When composing or replying to a message with external recipients using Outlook for iOS and Android, the external recipient email address is highlighted in the address list. It may also be highlighted in the message body if someone is @mentioned. A small notice label is visible in the message header during the compose or reply process. This is NOT visible by the external recipients once sent.

Outlook mobile will clearly alert you when an external recipient is in the email address list when composing or replying to email messages, as shown in the image.

This capability is being rolled out by Microsoft already, but with the default setting set to OFF. From the 4th March Microsoft will change the default settings to ON. From that date Nexus365 users running Oulook on iOS or Android devices will therefore start to see this mailtip or notification whenever there is a recipient in the To, Cc or Bcc lines that is outside the University.

Please note that, as far as Nexus365 is concerned, an ‘external email recipient’ will include units which handle their own email and don’t use the central IT Services Nexus365 service. This would include, but is not limited to, the Saïd Business School and the department for Continuing Education.
This enhancement is related to Microsoft 365 Roadmap ID 27555 and 27556.

Posted in Uncategorized | Leave a comment

Nexus365’s default homepage will become office.com

Nexus365 currently includes a user-customisable setting that allows users to personalise what page they land on when they log into the Nexus365 portal. However Microsoft have chosen to remove this functionality. They have begun rolling out a new (mandatory) home page for users logging in via the web. This will soon replace any customised landing page.

The thinking behind this change is that Microsoft’s Office.com page has evolved. Now it shows users’ most relevant applications, documents, and places where they are working. Since this useful information is all collected in one place Microsoft believe that it makes for a more useful, more consistent (and thus easier to support) default page when someone signs into Nexus365 at Office.com.
Users who miss the customised starting page can continue to use browser bookmarks and direct URL navigation to get to specific Nexus365 components, applications, or pages.

When will this happen?
The change should first become visible in March 2019, when users who have set a start page other than Office.com will be directed to Office.com when they log-in.

What should I do to prepare?
Informing your users of the upcoming change would be sensible, and encouraging them to bookmark any custom page they’ve set as their start page.

How can I stay informed?
The Nexus Team make information available via this blog, and via the IT Services Service Desk.
You can also review upcoming changes yourself via Microsoft’s roadmap page. This specific change can be found on that roadmap here.

Posted in Uncategorized | Leave a comment

Outlook and repeating webauth logon popups

A number of Nexus users have recently logged support tickets with the Service Desk regarding a repeating cycle of logon authentication requests in Outlook. Similarly affected users may receive an error stating ‘You need the internet for this’ even when they are self-evidently connected and online.

Investigation has shown that – generally but not exclusively – this seems to affect users running versions of Office downloaded from the Nexus365 portal, and who are running Windows 10 as their operating system.

ITSS advice and things to try:

  1. Under Settings>Accounts>Access Work or School, remove any reference to an OnTheHub or personal Microsoft account.
  2. Ensure that your local firewall, antivirus software, and/or Windows Defender are not blocking processes that engage in authentication token acquisition.
  3. Removing stored accounts from Credentials Manager, and rebuilding Outlook’s profile may also help.
  4. There is a registry fix which can resolve this issue. However as the issue is due to be patched early in 2019 if you use this solution we strongly recommend you schedule to reverse it once the fix is released. With that borne in mind:
    Starting from build 16.0.7967, Office switches from Azure Active Directory Authentication Library authentication (ADAL) to Web Account Manager (WAM) for sign-in workflows on Windows builds later than 15000 (Windows Version 1703, build 15063.138). The workaround is to disable WAM by modifying the following key:[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\
    “DisableADALatopWAMOverride”=dword:00000001
Posted in Uncategorized | Leave a comment

Thunderbird 60 and Nexus365 calendars

It has been brought to our attention that a recent update to Thunderbird – bringing the version number up to v60 – has the unfortunate side-effect of breaking Nexus365 calendars. Experimentation within the Nexus team has shown that the only calendar functionality that remains intact during testing is the use of one’s own calendar and, bizarrely, a single meeting room.

Calendar issues aside, this upgrade to the application is worthwhile. Testers within the Nexus team described it as  “…definitely snappier and more responsive.”

Mozilla have made a big jump with the plug-in architecture for Thunderbird (as happened for Firefox about a year ago), so to continue to use Nexus365 calendars within Thunderbird we will have to wait for the developers of the exchangecalendar plug-in to get their heads around the new design. In the meantime Outlook Web App (http://outlook.office.com) gives calendar functionality via almost any modern browser.

Mozilla have provided the following guidance regarding calendar issues post upgrade:

https://support.mozilla.org/en-US/kb/calendar-updates-issues-thunderbird

This may also be useful:

https://www.thunderbird.net/en-US/thunderbird/60.3.1/releasenotes/

 

EDIT: Version ‘v5.0.0-alpha2’ of the exchangecalendar add-on was released in the last 24 hours. Testing within the Nexus team has shown that with this version delegate calendars re-appear. https://github.com/ExchangeCalendar/exchangecalendar/releases

 

 

 

Posted in Uncategorized | Leave a comment

Linux and Microsoft Teams

The fifth most-requested feature for Teams is a client for Linux. This simple request has garnered over five thousand votes since it was first posted two years ago.

Since Microsoft are slowly moving away from Skype clients, pushing communications functions into the Teams application, this will clearly become more of an issue as time goes on. In the current documentation Microsoft state that Meetings work on Chrome 59 (and later). Firefox users are effectively being told that they should replace their browser.

There is a convoluted work-around to permit video calls and presentations to work but it’s very much a fudge: it effectively persuades the server that you’re running the Edge browser.

However, as of yesterday, it seems that there may be a hint of progress. Some engineering time may even be being allocated to resolving these issues. In a tweet yesterday Microsoft’s Suphatra Rufo gave a hint that there may be progress.

If you are a Linux user and need a proper Teams client please add your voice here:
https://microsoftteams.uservoice.com/forums/555103/suggestions/16911565

Posted in Uncategorized | Leave a comment