AskCody integrates with Microsoft Exchange using either Basic or Modern Authentication.
Simply put, this means that AskCody integrates with Microsoft Exchange using Exchange Webservices Managed API and integrates with and shares data using Microsoft EWS – a native part of Microsoft Exchange (Server) and Microsoft Exchange Online available for developers like AskCody, used to share data with third-party applications.
Integrating a Microsoft EWS Application with Microsoft Exchange is done using one of two authentication methods depending on Exchange Server or Exchange Online. These are referred to as Modern- and Basic Authentication and are used for Exchange Server and Exchange Online respectively.
Modern and Basic Authentication
With Modern Authentication, a Global Administrator in your organization grants permissions to the AskCody EWS application through an OAuth 2.0 flow in Azure Active Directory. The AskCody EWS application can then access EWS using a certificate-based authentication flow. This means that no Service Account and no credentials are shared with AskCody when integrating AskCody with Exchange.
Modern Authentication can only be used with Exchange Online and Office 365.
The Microsoft Exchange Team announced in July 2018 that support for Basic Authentication in Exchange Online will end on October 13th, 2020 (click here to learn more). Instead, Microsoft now recommends the use of Modern Authentication, which is based on the widely used OAuth 2.0 protocol. This is more secure because Modern Authentication doesn’t require a service account, and therefore doesn’t involve a password that can be compromised.
Basic Authentication requires that you integrate using a username and password of an Exchange Service Account when integrating AskCody with Microsoft Exchange.
To make this step of integrating AskCody to Microsoft Exchange secure, we have built-in Microsoft Azure Key Vault to AskCody's Platform. Credentials are then stored encrypted in Azure Key Vault instead of AskCody.
These credentials are then used to integrate with Exchange Web Services (EWS) to access data in Microsoft Exchange.
With an Exchange Server integration using a Service Account, you administer the credentials to this account and are responsible for entering these into the AskCody Management Portal when integrating Microsoft Exchange with AskCody.
Credentials are subsequently end-to-end hashed and encrypted, so they never appear in plain text, when entered in the AskCody platform, meaning they never appear in plain text anywhere in a system or in a database, and therefore can't be compromised. The credentials are hashed and encrypted both at rest and at motion. The Service Account (email and password) entered in the AskCody Management can thus be used solely by the AskCody platform to log in via EWS to access the meeting data in meeting room resources integrated with the platform.
If you are not familiar with how to create a Service Account and provision this role with the right permissions, please read and follow this guide on how to create a Service Account on Microsoft Exchange.
What is the difference between Basic and Modern Authentication?
Basic Authentication requires that you share a username and password of an Exchange service account with AskCody when integrating AskCody with Exchange (As mentioned above, the password is stored encrypted in Azure Key Vault.) These credentials are then used to integrate with Exchange Web Services (EWS) to access data in Exchange.
With Modern Authentication, there is no Exchange Service Account and no credentials are shared with AskCody integrating AskCody with Microsoft Exchange. Instead, a Global Administrator in your organization grants permissions to the AskCody EWS application through an OAuth 2.0 flow in Azure Active Directory. The AskCody EWS application can then access EWS using a certificate-based authentication flow.
How access to mailboxes is configured is also different between Basic and Modern Authentication. With Basic Authentication, the Exchange service account is granted access to relevant mailboxes using the Application Impersonation role. With Modern Authentication, the Use Exchange Web Services with full access to all mailboxes permission is granted to the AskCody EWS application as part of the consent flow. Using this authentication method Application Impersonation is therefore no longer required which is a major step forward in securing that no service account can be compromised. The need for an Application Impersonation Service account for web applications to connect to Exchange is therefore no longer a hot topic in your IT and Security organization.
Who can use Modern Authentication instead of Basic Authentication?
Using OAuth as the authentication method is only available if you are on Exchange Online. If you are running Exchange Server, basic authentication is still the only authentication method available.
Why using Modern Authentication requires a Global Admin account with a Mailbox authenticating the account
For integrating AskCody with Microsoft Exchange using Modern Authentication (Oauth), verifying that a mailbox exists for the user (the email address) is part of the validation and verification process. This ensures that an integration between the Exchange mailboxes and AskCody can be established.
In the AskCody Admin Center, when creating an integration with Exchange using Modern Authentication, AskCody verifies the integration by checking whether a mailbox exists for the email address of the user that is currently logged in to the AskCody Admin Center. The email address in question is shown in the upper right corner of any Admin Center page.
If a mailbox exists with that email address, the integration can be verified. If not, it can't. Therefore it is required that a Global Admin account has a mailbox.
The reason we check for a mailbox is that we want to make sure that we can actually access an Exchange mailbox when integrating AskCody with Microsoft Exchange. This is really important to prevent issues later on because Exchange mailboxes are the premise for all AskCody products and Full Access to all mailboxes is necessary for the AskCody products to function properly (see requirements for Full Access further down) Therefore, we developed Modern Authentication with the requirement for a Global Admin user with a mailbox.
This does not mean that the AskCody EWS application runs through the Global Admin account. The Global Admin account is only needed to approve the AskCody EWS application to access meeting data. Once approved the application will then check if it is able to access the Global Admin's mailbox. If this is possible the application has been authenticated and the integration between AskCody and Microsoft Exchange has been established.
This means that the Global Admin does not need to have a mailbox or even be an active user after the integration has been established unless the integration needs to be re-authenticated.
As an extreme example, it would be possible to create a new Global Admin with a mailbox, approve the AskCody EWS application, establish an integration, and then delete the Global Admin account completely.
Why is full access to all mailboxes needed?
“….With Modern Authentication, the Use Exchange Web Services with full access to all mailboxes permission is granted to the AskCody EWS application as part of the consent flow.” Why?
Modern Auth (OAuth authentication) for EWS is only available in Exchange Online as part of Office 365. EWS applications using OAuth requires the "Full access to users' mailbox" permission to work. Full Mailbox Access is, therefore, the only permission type that can be granted for EWS Applications. Please see: this knowledge base article by Microsoft.
With Modern Authentication, there is no longer an Exchange service account and no credentials are shared with AskCody when integrating AskCody with Exchange. Instead, a Global Administrator in your organization grants permissions to the AskCody EWS application through an OAuth 2.0 flow in Azure Active Directory. The AskCody EWS application can then access EWS using a certificate-based authentication flow. The "Full access to user's mailbox" permission is the only available permission type, and is therefore required.
The AskCody EWS application is registered in Azure AD following best practices for accessing EWS using the OAuth 2.0 protocol because it’s required that the application must have an application ID issued by Azure Active Directory.
That said, the data the AskCody EWS application is accessing is still controlled and regulated by the data processing agreement as entered with all AskCody customers, meaning there is no change in which data AskCody access or process on behalf of the data controller.