[FreakyT]

To be fair, it’s the security team’s idiotic position on IMAP that prompted the parent commenter to find a workaround.

It’s like how having super draconian password reset and complexity requirements ends up being less secure because users will start writing their impossible-to-remember passwords on post-it notes.

[yunohn]

There’s a big difference between password reset rules, and giving third-parties access to emails and calendar.

There is nothing draconian about restricting IMAP - any app could exfiltrate confidential emails once granted access. It’s a very sane rule to disallow everything except webmail or first party apps.

[beprogrammed]

It's a terrible process for the users. And as we can see what did it get them, a third party logging into there webmail.

The service is protected with a username and password, didn't matter if it was IMAP or webmail.

[analognoise]

An employee who redirects company emails to get around a security rule becomes an ex-employee very quickly.

[yunohn]

Of course it does matter! Webmail is quite restricted and optimized for viewing and replying to emails. IMAP is great for that, while also facilitating exporting (exfiltrating) the entire mailbox.

[jabroni_salad]

The IMAP blocking is for different draconian reasons. Office365 does not support Modern Auth with IMAP, which is considered a security baseline now.

[corty]

Office365 supports Kerberos with IMAP, which would be the proper thing to do anyways. Giving passwords to a browser or email application is wrong.

[tialaramex]

"modern Auth" means OAUTH, so, you aren't giving passwords to the email application.

If you have IMAP on GMail you get two choices, you can admit you're sacrificing security, and they'll mint a random password just for that IMAP application, or you can use OAUTHBEARER. As I understand it if enabled IMAP for Office365 can do OAUTHBEARER.

The nice thing about OAUTH is that it's a natural integration for your multi-factor authentication, which as I understand it doesn't fit well into Kerberos. But to be sure Kerberos is much better than yet another human memorable secret password exchange.

[nerf_javascript]

It's the complete opposite, Office365 only supports OAuth with IMAP and is phasing out/has phased out Basic Auth for IMAP. Additionally more often than not organizations are actually running Microsoft Exchange under the hood -- the majority of MS Exchange servers have Basic Auth disabled for IMAP (I believe since 2017 it's been off by default).

[zerocrates]

I'm pretty sure they do? I definitely set up a O365 account in Thunderbird using IMAP and OAuth, which I assume is sufficiently "modern auth."