Three years ago, Microsoft announced their intention to disable basic authentication to connect to mail servers. While we can debate the correctness of their decision — some could say why not leave the choice to the end-user — the main problem was that it was not clear how to move to the new authentication system in server-based applications such as ours where we don't have an end-user to authorise the request. They didn't have this for IMAP almost a year ago and still don't for SMTP. Only recently (about a month ago) did they publish a document on how to get this done for IMAP. That documentation is confusing, and there are errors; the number of posts on the net about this document is a testament to its lack of clarity. The end-user is also expected to execute about 6 Power Shell commands in Azure Portal's PowerShell. They are not all copy-paste commands — you must copy IDs from different places in the Azure portal. And there has been significant confusion about which IDs to copy to execute these commands.
We are not a "Microsoft shop", and it has been severely frustrating for our developers to work on things without much supporting documentation. Thousands of posts on the net will reveal how everyone is struggling with it.
Microsoft, on 1st September 2022, announced that they had extended the deadline to 1st January 2023. It was the correct decision considering the lack of resources for developers for so long.
So how does this affect you?
Here is our understanding:
We use the industry-standard SMTP protocol to send notifications from the Celoxis application. We use SSL if your email server supports it. Nothing changes in this aspect as Microsoft will not use the "modern authentication" for this protocol.
If Celoxis has been set up to receive email from IMAP, then you should enable basic authentication if Microsoft disables it. Microsoft said in their latest post that they would do this randomly, and you can allow basic authentication once until Jan 2023. So be careful not to disable it.
Meanwhile, we will consider our options. We have the code working to handle modern authentication for IMAP, but given how complex the process is for end-users, we are confident that the customers will not be able to do it without errors and ultimately blame us if it doesn't work.
Supporting Microsoft products has been very difficult; this is just another example. It's not just about writing code but also about supporting it. If email notifications are not sent out, we are answerable. Sysadmins, at the customer's end, are expected to set up their email servers correctly. Unfortunately, they are unaware of all the different and complex settings that result in our software not working as expected and cannot debug it (at least ten things need to be checked for modern authentication). We have to do it for them to prove that it is not our problem. Our support team can help with issues with our product, not Microsoft's. And it is a very time-consuming process that results in a tremendous loss of productivity and is simply unaffordable at our price point.
We will keep you posted on our decision.