Retirement of Basic Authentication for Microsoft Exchange Online

Microsoft set October 1, 2022 as the deadline to retire Basic Authentication for Exchange. We recommend switching to Modern Authentication.

The AskCody Platform is built as a Microsoft EWS Application, meaning that the AskCody Platform uses Microsoft’s API to integrate with a customer’s Exchange Server or Exchange Online tenant.

An API is code that allows two software programs (or more) to communicate with each other and share data. Microsoft's API is called Exchange Web Services (EWS) and allows AskCody to access the customers Microsoft Exchange data and items such as calendars, calendars events, and contacts. The AskCody Platform is therefore built as an EWS Application and will be referred to in the following.

Simply put, this means that AskCody integrates with Exchange using Exchange Webservices Managed API to share data with Exchange, read more here. Exchange Webservices is a native part of Exchange Server (on-prem) and Exchange Online, available for developers like AskCody, used to share data with third-party applications like the AskCody Platform. 

Connecting a Microsoft EWS Application to Exchange is done using one of two authentication methods depending on Exchange Server or Exchange Online. These are referred to as Modern- and Basic Auth and are used for Exchange Server and Exchange Online respectively.

Basic Authentication for Exchange Online will retire

Exchange Web Services (EWS) was launched with support for Basic Auth starting on Exchange Server (On-prem) and of course, being implemented for Exchange Online as well. Over time, Microsoft introduced Modern Auth (OAuth 2.0) for authentication and authorization on Exchange Online, which is a more secure and reliable way than Basic Auth to access data, so that EWS Applications integrating with Exchange Online could leverage both types of authorization and authentication.

Microsoft communication timeline

  • March 2018:  Microsoft published this announcement advising that Basic Auth to Exchange Web Services (EWS) for Exchange Online would be retired on October 13th, 2020, meaning on this date, Basic Auth for EWS Applications will be decommissioned, and EWS Applications should switch to using Modern Auth to integrate, authenticate and authorize.
  • April 2020: In response to the COVID-19 situation and knowing that priorities have changed for many organizations, Microsoft decided to postpone disabling Basic Auth in Exchange Online until the second half of 2021.
  • February 2021: Microsoft announced that until further notice, they will not be disabling Basic Auth for any protocols in use.
  • September 2021: Microsoft announced that effective October 1, 2022, they will begin to permanently disable Basic Auth in all tenants, regardless of usage, with the exception of SMTP Auth.

Microsoft still continues to disable Basic Auth for newly created tenants by default and begins to disable Basic Auth in protocols that are not in use.


Why is Microsoft retiring Basic Authentication for Exchange Online?

For many years, applications integrating with Exchange have used Basic Auth to connect to Exchange Servers, services, and endpoints using EWS. It is enabled by default and it’s super simple to set up. Basic Auth simply means the application sends a username and password with every request (often stored or saved on the device – AskCody uses Azure Key Vault to make this secure and reliable).

Simplicity isn’t at all bad in itself, but Basic Auth makes it easier for attackers armed with today’s tools and methods to capture users’ credentials which in turn increases the risk of credential re-use against other endpoints or services. Multi-factor authentication (MFA) isn’t easy to enable when you are using Basic Auth and so all too often it isn’t used.

Simply put, there are better and more effective alternatives to authenticate users available today, and Microsoft is actively recommending to customers to adopt security strategies such as Zero Trust (i.e. Trust but Verify) or apply real-time assessment policies when users and devices are accessing corporate information. This can all be handled and managed with Modern Auth.

With the move to disable Basic Auth, Microsoft is taking great steps to improve data security in Exchange Online.

Learn more here about why Microsoft is disabling Basic Auth, here.

How does this affect AskCody?

With AskCody being a Microsoft EWS Application, when Basic Auth is retired from Exchange Online, any organization that still uses this authentication method to integrate AskCody with their Exchange Online will immediately see a disruption to AskCody’s functionality, since AskCody will fail to integrate with Exchange Online.

Retiring Basic Auth for Exchange Online will not only impact AskCody but all third-party applications connected to Exchange Online using Basic Auth. Therefore, customers will see a major impact on third-party applications, if they don’t change.

How does this affect you as a Customer?

AskCody customers still use Basic Auth (Service Account, Username, and Password) to authenticate the AskCody connection and integration with Exchange Online.

Customers and organizations using Modern Auth are not affected and can ignore this announcement.

To know about how Modern Authentication can support various setups and multiple integrations, click here and read the article.


Switch to Modern Authentication in a few simple steps  

The switch from Basic Authentication method to Modern Authentication method only applies to customers who already have an integration to Exchange Online. Log in to your AskCody Portal and follow the video below or this guide to switch accordingly. No AskCody services or features will be impacted by doing the switch. 

If you wish to change your integration from Exchange Server to Exchange Online, follow the steps in this article.

Microsoft Exchange Server (On-prem) is not affected

Basic Auth for Microsoft Server (On-prem) is not affected or impacted by this. Customers on Exchange Server are not impacted or affected.

Use Application Access Policies with Modern Authentication to restrict access 

Modern Auth (OAuth 2.0) is a more secure and reliable way than Basic Auth to access data in Microsoft Exchange Web Services (EWS). In February 2021 Microsoft introduced Application Access Policies for connecting to EWS.  This enables you to restrict the AskCody application to access certain resources in Exchange. Note however that AskCody already only has access to the resources (calendars) that you choose and select to connect and integrate into the AskCody Platform as an extra layer of security and restriction of data access. 

For more information and guidance on how to set up Application Access Policies with Modern Auth see this help article and webinar.