Office 365 direct email from Dynamics GP:
issue with impacts October-2022
Important Client Notice: Upcoming Fall 2022, Dynamics GP issue with Office 365 (and resolution) for sending emails
November 2021, January 15, 2022, January 27, 2022, April 1, 2022 Updated September 29 2022: Our team at GP Support North / Endeavour Solutions has a forward looking perspective An Official Notice (based on a preliminary change, tested and launched by Microsoft, and since rolled-back, and now being re-launched). There are some soon-to-be permanent security changes by Microsoft that will stop emails from being sent via Office 365 / Exchange Online AS OF OCTOBER 1 2022 in certain situations from Dynamics GP and related components including Microsoft SQL Server while using Office 365 and Exchange Online.
TARGET RETIREMENT DATE: October 1, 2022
Starting October 1st, Microsoft will start to randomly select tenants and disable basic authentication access for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell. If you have removed your dependency on basic auth, this will not affect your tenant or users. If you have not (or are not sure), check the Message Center for the latest data contained in the monthly usage reports Microsoft has been sending monthly since October 2021.
Anticipated that 95%+ of clients using older versions of Dynamics GP will be affected by the Office 365 SMTP-Legacy / TLS Authentication "Speed Bump" periodically throughout 2022 - Culminating a permanent Shut-Off in October 2022.
May 15, 2022 - There is now official confirmation from Microsoft that as of October 1, 2022, the "basic level of Authentication for Exchange Online (Office 365) will be shut-off" which will result in the following error screen seen with Dynamics GP:
Login Failed: Check your login information and try again
April 1, 2022 - We have been receiving reports and have confirmation from Microsoft that Dynamics GP 18.3 MFA is not working well, and thus a STRONG recommendation to upgrade to Dynamics GP 18.4. Note that the Dynamics GP 18.3 service patch results in an upgrade to GP 18.4.
Jan 15, 2022 - Announced by Avalara (tax system for GP) plans to stop support for TLS 1.0 as of March 31, 2022 via their Production RESTv2 API. There is a work around to extend to Dec 31st, then all is decommissioned.
These are affecting clients with the following:
- Clients using Microsoft Dynamics GP (Great Plains) 18.2/18.3 and older
(GP 2010, GP 2013, GP 2015, GP 2016, GP 2018, GP 18.1 and GP 18.2)
(Q2 2022 update, GP 18.3 should also be updated to 18.4)
- ONLY those users who are sending email from Dynamics GP – for example, automated or user-driven invoices, workflow approval notifications, EFT remittance notices, sales documents, POs, and other will be affected;
AND your email is hosted in Microsoft Office 365 and connected via TLS 1.0.
Those who have upgraded to Dynamics GP 18.4 (GP 2022) are not impacted as there is stable support for MFA and the TLS 1.2 security standards.
- ONLY those users who are sending email from Dynamics GP – for example, automated or user-driven invoices, workflow approval notifications, EFT remittance notices, sales documents, POs, and other will be affected;
What will be causing emails not to send? How to fix GP email?
The main cause of concern is the anticipation of Dynamics GP not being able to send emails via Microsoft Office 365 (Outlook) is an update in the security parameters for Microsoft365 / Office 365 (Cloud email) and Exchange Online is phasing out the encryption protocols SSL 2.0, TLS 1.0 and TLS 1.1, and replacing with the newer and more secure TLS 1.2 . Microsoft Announcement
The TLS 1.2 encryption (similar to computer to computer authentication) will prevent a known security limitation that could allow hackers to gain access to the Office 365 Admin Panel. This is NOT a Dynamics GP security issue and will not expose GP, but rather is an emerging security requirement of Office 365, for which older versions of GP that use TLS 1.0, do not recognize the newer TLS 1.2 standard. Microsoft may release a GP update in the future (currently told most likely NOT), at this time (April 2022), none has been announced beyond providing the Dynamics GP 18.4 updates for clients current on Enhancement (Annual software renewal). Note that GP 18.3 is no longer being updated.
Options to restore the proper functioning of email via Dynamics GP:
1. Upgrade Option: an Upgrade to Dynamics GP 18.4 (GP 2022) will resolve the security issue and thus allow Dynamics GP to send emails through Office 365. GP upgrade.
Microsoft GP Blog Post on Nov 8, 2021/ updated Dec 8 2021 / Update 03/10/2022: recommended resolution is to upgrade to Dynamics GP 18.4 - https://docs.microsoft.com/en-us/dynamics-gp/installation/email-troubleshooting-guide
2. Security Option: There is a TEMPORARY ‘optional work-around’ that will allow emails to work, but it requires a downgrade of security settings (Not recommended by Endeavour). This should be considered a temporary fix, both for associated security risks, as well as the risk that TBD future Microsoft Windows updates may force additional security settings, thus stopping the ability for this work-around to allow GP to send emails via Office 365. Contact our GP Support Team
3. Optional 3rd Party ISV software - Liaison EDD
Microsoft Notices for Office 365 (note that GP is not mentioned as this is a scheduled Office 365 security change)
Microsoft Announcement - https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/opt-in-exchange-online-endpoint-for-legacy-tls-using-smtp-auth
MICROSOFT: Exchange Online no longer supports use of TLS1.0 and TLS1.1 in the service as of October 2020. This change is due to security and compliance requirements for our service. While no longer supported, our servers still allow clients to use those older versions of TLS when connecting to the SMTP AUTH endpoint (smtp.office365.com).
MICROSOFT: In 2022, Microsoft plans to completely disable those older TLS versions to secure our customers and meet those security and compliance requirements. However, due to significant usage, we've created an opt in endpoint that legacy clients can use with TLS1.0 and TLS1.1.
MICROSOFT: Note that this endpoint is not available in GCC (USA Government Community Cloud), GCC-High, or DoD (USA Dept. of Defense) environments that "already" have legacy TLS 1.1 permanently turned off.
Received via email by your Microsoft 365 / Office 365 administrators
MICROSOFT: Reminder: Disabling TLS 1.0 and TLS 1.1 in Microsoft 365
MICROSOFT: MC240160 This message post is a reminder of the ongoing progress of retiring TLS 1.0 and TLS 1.1 protocols in Microsoft 365.
As previously communicated (MC126199 in Dec 2017, MC128929 in Feb 2018, MC186827 in July 2019, and MC218794 in July 2020), we are moving all our online services to Transport Layer Security (TLS) 1.2+ to provide best in class encryption, and to ensure our services is more secure by default. The changes to enforce TLS1.2+ in our service started on October 15, 2020 and will continue to propagate through all Microsoft 365 environments for the next few months.
If you have not taken steps to prepare for this change, your connectivity to Microsoft 365 might be impacted.
MICROSOFT: We are fully aware that many customers will not have noticed the multiple Message Center posts and blog posts, and are not aware of clients or devices that are still using TLS1.0 to submit messages. With this in mind, starting in September 2021, we will reject a small percentage of connections that use TLS1.0 for SMTP AUTH. Clients should retry as with any other temporary errors that can occur during submission. Over time we will increase the percentage of rejected connections, causing delays in sending that more and more customers should notice.
The error will be:
421 4.7.66 TLS 1.0 and 1.1 are not supported. Please upgrade/update your client to support TLS 1.2.
or
Action required: Review your Azure Services Certificate Authorities
We are updating Azure services in a phased manner to use Transport Layer Security (TLS) certificates from a different set of Root Certificate Authorities (CAs). This began 13 August 2020.
MICROSOFT: We intend to make a final announcement when we are ready to make the change to disable TLS1.0 and TLS1.1 for SMTP AUTH for the regular endpoint.
