3

In regards to the following message in Office 365 (and Office apps):

To help provide additional security coverage, we are changing how form-based authentication in Office applications is handled. Forms-based authentication is a legacy authentication method for Office resources that are not protected by Azure Active Directory (AAD) or Microsoft account (MSA).

A new update was recently rolled out across the suite which impedes users from accessing servers which implement MS-OFBA, citing it as insecure.

If this is the case, what is the preferred way of authenticating users against a WebDAV service?

Jan Martin
  • 408
  • 3
  • 11

2 Answers2

0

Unfortunately, we do not know any solution for this issue currently. Authentication against Azure AD does not help - this message appears anyway. Also, Microsoft did not provide an alternative for MS-OFBA as war as we know. Fortunately, you just need one click and this message does not show any more.

IT Hit WebDAV
  • 5,652
  • 12
  • 61
  • 98
0

Hmm, there must be a way around this problem.

If we use Azure AD to authenticate against our WebDAV-server (such as IT Hit WebDAV), then isn't this exactly what we have when we use Office apps against documents stored in SharePoint Online (which in a sense is a webdav server protected by Azure AD)? And in that case, there is no warning.

I believe that it must be possible to do what Microsoft does here, I don't think they have legal rights to use "back-doors" to implement things that other companies can't. Have you investigated this, IT HIT?

Fredrik Gunne
  • 35
  • 1
  • 6
  • The IT Hit WebDAV Azure AD integration uses MSOFBA as a wrapper around AzureAD, it doesn't actually use Bearer auth - there is some evidence that you can serve your own Bearer auth using AzureAD, I have confirmed at least once that I was able to authenticate as expected but it seems you need to do it in a very specific way to get it work consistently... https://stackoverflow.com/a/66352109/2041219 – Jan Martin Sep 15 '21 at 23:12
  • Thanks, @JanMartin! That proves it is doable. What surprises me is that IT HIT WebDAV doesn't implement "pure Azure AD"-auth, i.e. without MSOFBA in their product, given that Microsoft considers this a legacy/unsecure mechanism. I hope IT HIT WebDAV is monitoring this discussion, but I will send them a PM. – Fredrik Gunne Sep 17 '21 at 08:52