Latest version of Microsoft Office block MS-OFBA requests

Question

In regards to the following message in Office 365 (and Office apps):

To help provide additional security coverage, we are changing how form-based authentication in Office applications is handled. Forms-based authentication is a legacy authentication method for Office resources that are not protected by Azure Active Directory (AAD) or Microsoft account (MSA).

A new update was recently rolled out across the suite which impedes users from accessing servers which implement MS-OFBA, citing it as insecure.

If this is the case, what is the preferred way of authenticating users against a WebDAV service?

Answer 1

Hmm, there must be a way around this problem.

If we use Azure AD to authenticate against our WebDAV-server (such as IT Hit WebDAV), then isn't this exactly what we have when we use Office apps against documents stored in SharePoint Online (which in a sense is a webdav server protected by Azure AD)? And in that case, there is no warning.

I believe that it must be possible to do what Microsoft does here, I don't think they have legal rights to use "back-doors" to implement things that other companies can't. Have you investigated this, IT HIT?

Answer 2

Unfortunately, we do not know any solution for this issue currently. Authentication against Azure AD does not help - this message appears anyway. Also, Microsoft did not provide an alternative for MS-OFBA as war as we know. Fortunately, you just need one click and this message does not show any more.