Basic Authentication vs. Modern Authentication integration AskCody with Microsoft Exchange

Understand the difference between Basic and Modern Authentication and how it applies to AskCody

The AskCody Platform is built as a Microsoft EWS Application, meaning that the AskCody Platform uses Microsoft’s API to integrate with a customer’s Exchange Server or Exchange Online tenant.
An API is code that allows two software programs (or more) to communicate with each other and share data. Microsoft's API is called Exchange Webservices (EWS) and allow AskCody to access the customers Microsoft Exchange data and items such as calendars, calendars events, and contacts. The AskCody Platform is therefore built as an EWS Application and will be referred to in the following.

Simply put, this means that AskCody integrates with Microsoft Exchange using Exchange Webservices Managed API and integrates with and shares data using Microsoft EWS – a native part of Microsoft Exchange (Server) and Microsoft Exchange Online available for developers like AskCody, used to share data with third party applications. 

Connecting a Microsoft EWS Application to Microsoft Exchange is done using one of two authentication methods depending on Exchange Server or Exchange Online. These are referred to as Modern- and Basic Authentication and are used for Exchange Server and Exchange Online respectively.

Modern and Basic Authentication

Modern Authentication
With Modern Authentication, a Global Administrator in your organization grants permissions to the AskCody EWS application through an OAuth 2.0 flow in Azure Active Directory. The AskCody EWS application can then access EWS using a certificate-based authentication flow. This means that no Service Account and no credentials are shared with AskCody connecting AskCody with Exchange.

Modern Authentication can only be used with Exchange Online and Office 365.

The Microsoft Exchange Team announced in July 2018 that support for Basic Authentication in Exchange Online will end on October 13th, 2020. Instead, Microsoft now recommends the use of Modern Authentication, which is based on the widely used OAuth 2.0 protocol. This is more secure because Modern Authentication doesn’t require a service account, and therefore doesn’t involve a password that can be compromised.

Basic Authentication
Basic Authentication requires that you connect using a username and password of an Exchange Service Account when connecting AskCody to Microsoft Exchange.

To make this step of connecting AskCody to Microsoft Exchange secure, we have built in Microsoft Azure Key Vault to AskCody's Platform. Credentials are then stored encrypted in Azure Key Vault instead of AskCody.

These credentials are then used to connect to Exchange Web Services (EWS) to access data in Microsoft Exchange.

With a connection to Exchange Server using a Service Account, you administer the credentials to this account and is responsible for entering these into the AskCody Management Portal when connecting Microsoft Exchange to AskCody.

Credentials are subsequently end-to-end hashed and encrypted, so they never appear in plain text, when entered in the AskCody platform, meaning they never appear in plain text anywhere in a system or in a database, and therefore can't be compromised. The credentials are hashed and encrypted both at rest and at motion. The Service Account (email and password) entered in the AskCody Management can thus be used solely by the AskCody platform to log in via EWS to access the meeting data in meeting room resources connected with the platform.

If you are not familiar with how to create a Service Account and provision this role with the right permissions, please read and follow this guide on how to create a Service Account on Microsoft Exchange.

Basic Authentication is often used with Exchange Server but can be used with Exchange Online as well.

What is the difference between Basic and Modern Authentication?

Basic Authentication requires that you share a username and password of an Exchange service account with AskCody when connecting AskCody to Exchange (As mentioned above, the password is stored encrypted in Azure Key Vault.) These credentials are then used to connect to Exchange Web Services (EWS) to access data in Exchange.

With Modern Authentication, there is no Exchange Service Account and no credentials are shared with AskCody connecting AskCody with Microsoft Exchange. Instead, a Global Administrator in your organization grants permissions to the AskCody EWS application through an OAuth 2.0 flow in Azure Active Directory. The AskCody EWS application can then access EWS using a certificate-based authentication flow.

How to access to mailboxes is configured is also different between Basic and Modern Authentication. With Basic Authentication, the Exchange service account is granted access to relevant mailboxes using the Application Impersonation role. With Modern Authentication, the Use Exchange Web Services with full access to all mailboxes permission is granted to the AskCody EWS application as part of the consent flow. Using this authentication method Application Impersonation is therefore no longer required which is a major step forward in securing that no service account can be compromised. The need for an Application Impersonation Service account for web applications to connect to Exchange is therefore no longer a hot topic in your IT and Security organization.

Who can use Modern Authentication instead for Basic Authentication?

Using OAuth as the authentication method is only available if you are on Exchange Online. If you are running Exchange Server, basic authentication is still the only authentication method available.

What should you be aware of using Modern Authentication?

Be aware that the AskCody EWS application will effectively have full access to users’ mailboxes, (equal to unscoped Application Impersonation) if this authentication method is chosen with the full access to all mailboxes permission granted to the AskCody EWS application. If you have a scoped Application Impersonation role today, you therefore, need to take this into consideration. That said, the data the AskCody EWS application is accessing is still controlled and regulated by the data processing agreement as entered with all AskCody customers, meaning there is no change in which data AskCody access or process on behalf of the data controller.

Why using Modern Authentication requires a Global Admin account with a Mailbox authenticating the account

For connecting AskCody to Microsoft Exchange using Modern Authentication (Oauth), verifying that a mailbox exists for the user (the email address) is part of the validation and verification process. This ensures that a connection between the Exchange mailboxes and AskCody can be established.

In the AskCody Admin Center, when creating a connection to Exchange using Modern Authentication, AskCody verifies that connection by checking whether a mailbox exists for the email address of the user that is currently logged in to the AskCody Admin Center. The email address in question is shown in the upper right corner of any Admin Center page.

If a mailbox exists with that email address, the connection can be verified. If not, it can't. Therefore it is required that a Global Admin account has a mailbox.

The reason we check for a mailbox is that we want to make sure that we can actually access an Exchange mailbox when connecting AskCody to Microsoft Exchange. This is really important to prevent issues later on because Exchange mailboxes are the premise for all AskCody products and Full Access to all mailboxes is necessary for the AskCody products to function properly (see requirements for Full Access further down) Therefore, we developed Modern Authentication with the requirement for a Global Admin user with a mailbox. 

This does not mean that the AskCody EWS application runs through the Global Admin account. The Global Admin account is only needed to approve the AskCody EWS application to access meeting data. Once approved the application will then check if it is able to access the Global Admin's mailbox. If this is possible the application has been authenticated and a connection between AskCody and Microsoft Exchange has been established. 

This means that the Global Admin does not need to have a mailbox or even be an active user after the connection has been established unless the connection needs to be re-authenticated.

As an extreme example, it would be possible to create a new Global Admin with a mailbox, approve the AskCody EWS application, establish a connection and then delete the Global Admin account completely.

Why is full access to all mailboxes needed?

“….With Modern Authentication, the Use Exchange Web Services with full access to all mailboxes permission is granted to the AskCody EWS application as part of the consent flow.” Why?

Modern Auth (OAuth authentication) for EWS is only available in Exchange Online as part of Office 365. EWS applications using OAuth requires the "Full access to users' mailbox" permission to work. Full Mailbox Access is, therefore, the only permission type that can be granted for EWS Applications. Please see: https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth

With Modern Authentication, there is no longer an Exchange service account and no credentials are shared with AskCody connecting AskCody with Exchange. Instead, a Global Administrator in your organization grants permissions to the AskCody EWS application through an OAuth 2.0 flow in Azure Active Directory. The AskCody EWS application can then access EWS using a certificate-based authentication flow. The "Full access to user's mailbox" permission is the only available permission type, and is therefore required.

The AskCody EWS application is registered in Azure AD following best practices for accessing EWS using the OAuth 2.0 protocol because it’s required that the application must have an application ID issued by Azure Active Directory.

That said, the data the AskCody EWS application is accessing is still controlled and regulated by the data processing agreement as entered with all AskCody customers, meaning there is no change in which data AskCody access or process on behalf of the data controller.