Basic Auth for Microsoft Exchange Online will retire – You need to change authentication method for third party applications integrating with Microsoft Exchange Online
Update on Basic and Modern Auth with Microsoft EWS Applications
The AskCody Platform is built as a Microsoft EWS Application, meaning that the AskCody Platform uses Microsoft’s API to integrate with a customer’s Exchange Server or Exchange Online tenant.
An API is code that allows two software programs (or more) to communicate with each other and share data. Microsoft's API is called Exchange Web Services (EWS) and allow AskCody to access the customers Microsoft Exchange data and items such as calendars, calendars events, and contacts. The AskCody Platform is therefore built as an EWS Application and will be referred to in the following.
Simply put, this means that AskCody integrates with Microsoft Exchange using Exchange Webservices Managed API to share data with Microsoft Exchange, read more here. Exchange Webservices is a native part of Microsoft Exchange Server (on-prem) and Microsoft Exchange Online, available for developers like AskCody, used to share data with third-party applications like the AskCody Platform.
Connecting a Microsoft EWS Application to Microsoft Exchange is done using one of two authentication methods depending on Exchange Server or Exchange Online. These are referred to as Modern- and Basic Authentication and are used for Exchange Server and Exchange Online respectively.
Basic Auth for Exchange Online will retire – You will need to change the authentication method
Exchange Web Services (EWS) was launched with support for Basic Authentication starting on Exchange Server (On-prem) and of course, being implemented for Exchange Online as well. Over time, Microsoft introduced Modern Authentication (OAuth 2.0) for authentication and authorization on Exchange Online, which is a more secure and reliable way than Basic Authentication to access data, so that EWS Applications integrating with Microsoft Exchange Online could leverage both types of authorization and authentication.
Microsoft communication timeline
- March 2018: Microsoft published this announcement advising that Basic Authentication to Exchange Web Services (EWS) for Exchange Online would be retired on October 13th, 2020, meaning on this date, Basic Authentication for EWS Applications will be decommissioned, and EWS Applications should switch to using Modern Authentication to integrate, authenticate and authorize.
- April 2020: In response to the COVID-19 situation and knowing that priorities have changed for many organizations, Microsoft decided to postpone disabling Basic Authentication in Exchange Online until second half of 2021.
- February 2021: Microsoft announced that until further notice, they will not be disabling Basic Auth for any protocols in use.
Based on the most recent statement from Microsoft in February 2021, Microsoft still continue to disable Basic Authentication for newly created tenants by default, and begin to disable Basic Authentication in protocols that are not in use.
Microsoft still intends to move customers away from Basic Authentication as it is strongly believed it will improve security in Exchange Online that benefits all of us, so Microsoft will push for disabling Basic Authentication, but as of now they do not have a deadline for when it will be fully retired. Based on this AskCody still recommend customers and organizations to plan for switching to modern authentication if it is not already been done.
It is important to note that eventhough we reccomend switching to Modern authenication, AskCody will continue to provide the option for both Basic and Modern authentication, closely following Microsoft’s statements and advises.
Why is Microsoft retiring Basic Authentication for Exchange Online?
For many years, applications integrating with Microsoft Exchange have used Basic Authentication to connect to Exchange Servers, services, and endpoints using EWS. It is enabled by default and it’s super simple to set up. Basic Authentication simply means the application sends a username and password with every request (often stored or saved on the device – AskCody use Azure Key Vault to make this secure and reliable).
Simplicity isn’t at all bad in itself, but Basic Authentication makes it easier for attackers armed with today’s tools and methods to capture users’ credentials which in turn increases the risk of credential re-use against other endpoints or services. Multi-factor authentication (MFA) isn’t easy to enable when you are using Basic Authentication and so all too often it isn’t used.
Simply put, there are better and more effective alternatives to authenticate users available today, and Microsoft is actively recommending to customers to adopt security strategies such as Zero Trust (i.e. Trust but Verify) or apply real-time assessment policies when users and devices are accessing corporate information. This can all be handled and manage with Modern Authentication.
With the move to disable Basic Authentication, Microsoft is taking great steps to improve data security in Exchange Online.
Learn more here about why Microsoft is disabling Basic Authentication, here.
How does this affect AskCody?
With AskCody being a Microsoft EWS Application, when Basic Authentication is retired from Microsoft Exchange Online, any organization that still uses this authentication method to integrate AskCody with their Microsoft Exchange Online will immediately see a disruption to AskCody’s functionality, since AskCody will fail to integrate with Microsoft Exchange Online.
Retiring Basic Authentication for Microsoft Exchange Online will not only impact AskCody, but all third-party applications connected to Microsoft Exchange Online using Basic Authentication. Therefore, customers will see a major impact on third-party applications, if they don’t change.
How does this affect you as a Customer?
AskCody customers still using Basic Authentication (Service Account, Username, and Password) to authenticate the AskCody connection and integration with Microsoft Exchange Online.
Customers and organizations using Modern Authentication are not affected and can ignore this announcement.
What do Customers and organizations need to do now?
If you are already using Basic Auth for integrating Exchange Online with AskCody, you can continue using Basic Authentification for now, until Microsoft announces a new information for retiring Basic Auth.
Microsoft will though disable Basic Authentication for newly created Exchange Online tenants by default and begin to disable Basic Authentication in tenants that have no recorded usage starting October 2020. Even though the retirement of Basic Authentication is postponed, we recommend customers and organizations to plan for that switch now.
Go to your AskCody Admin Portal and follow this guide to switch accordingly. No AskCody services or features will be impacted by doing the switch.
Is Microsoft Exchange Server (On-prem) affected?
Basic Authentication for Microsoft Server (On-prem) is not affected or impacted by this. Customers on Microsoft Exchange Server are not impacted or affected.