Retirement of Basic Auth for Microsoft Exchange Online

Basic Auth for Microsoft Exchange Online will retire – You need to change authentication method for third party applications integrating with Microsoft Exchange Online

Update on Basic and Modern Auth with Microsoft EWS Applications

The AskCody Platform is built as a Microsoft EWS Application, meaning that the AskCody Platform uses Microsoft’s API to integrate with a customer’s Exchange Server or Exchange Online tenant.

An API is code that allows two software programs (or more) to communicate with each other and share data. Microsoft's API is called Exchange Webservices (EWS) and allow AskCody to access the customers Microsoft Exchange data and items such as calendars, calendars events, and contacts. The AskCody Platform is therefore built as an EWS Application and will be referred to in the following.

Simply put, this means that AskCody integrates with Microsoft Exchange using Exchange Webservices Managed API to share data with Microsoft Exchange, read more here. Exchange Webservices is a native part of Microsoft Exchange Server (on-prem) and Microsoft Exchange Online, available for developers like AskCody, used to share data with third-party applications like the AskCody Platform. 

Connecting a Microsoft EWS Application to Microsoft Exchange is done using one of two authentication methods depending on Exchange Server or Exchange Online. These are referred to as Modern- and Basic Authentication and are used for Exchange Server and Exchange Online respectively.

Basic Auth for Exchange Online will retire – You need to change authentication method

Exchange Web Services (EWS) was launched with support for Basic Authentication starting on Exchange Server (On-prem) and of course, being implemented for Exchange Online as well. Over time, Microsoft introduced Modern Authentication (OAuth 2.0) for authentication and authorization on Exchange Online, which is a more secure and reliable way than Basic Authentication to access data, so that EWS Applications integrating with Microsoft Exchange Online could leverage both types of authorization and authentication.

In March 2018 Microsoft published this announcement advising that Basic Authentication to Exchange Web Services (EWS) for Exchange Online will be retired on October 13th, 2020, meaning on this date, Basic Authentication for EWS Applications will be decommissioned, and EWS Applications should switch to using Modern Authentication to connect, authenticate and authorize.

Earlier this year, Microsoft provided these updates on progress.

With the announcement from Microsoft, they will stop supporting and fully decommission the Basic Authentication for EWS to access Exchange Online. This means that all third-party applications and services (like AskCody) that integrates with Exchange Online, will not be able to use Basic Authentication when connecting to Exchange Online using EWS and should instead use the more secure Modern Authentication for authentication and authorization.

In response to the COVID-19 situation and knowing that priorities have changed for many organizations, Microsoft has decided to postpone disabling Basic Authentication in Exchange Online for those tenants still actively using it until the second half of 2021. Microsoft will provide a more precise date when we have a better understanding of the impact of the situation.

That said, Microsoft will continue to disable Basic Authentication for newly created tenants by default and begin to disable Basic Authentication in tenants that have no recorded usage starting October 2020.

Microsoft still intends to move customers away from Basic Authentication as it is strongly believed it will improve security in Exchange Online that benefits all of us, so Microsoft will announce more accurate timelines for disabling Basic Authentication for tenants with usage at a later date.

Even though the retirement of Basic Authentication is postponed, we recommend customers and organizations to plan for that switch now.

Why is Microsoft retiring Basic Authentication for Exchange Online?

For many years, applications integrating with Microsoft Exchange have used Basic Authentication to connect to Exchange Servers, services, and endpoints using EWS. It is enabled by default and it’s super simple to set up. Basic Authentication simply means the application sends a username and password with every request (often stored or saved on the device – AskCody use Azure Key Vault to make this secure and reliable).

Simplicity isn’t at all bad in itself, but Basic Authentication makes it easier for attackers armed with today’s tools and methods to capture users’ credentials which in turn increases the risk of credential re-use against other endpoints or services. Multi-factor authentication (MFA) isn’t easy to enable when you are using Basic Authentication and so all too often it isn’t used.

Simply put, there are better and more effective alternatives to authenticate users available today, and Microsoft is actively recommending to customers to adopt security strategies such as Zero Trust (i.e. Trust but Verify) or apply real-time assessment policies when users and devices are accessing corporate information. This can all be handled and manage with Modern Authentication.

With the move to disable Basic Authentication, Microsoft is taking great steps to improve data security in Exchange Online.

Learn more here about why Microsoft is disabling Basic Authentication, here.

How does this affect AskCody?

With AskCody being a Microsoft EWS Application, when Basic Authentication is retired from Microsoft Exchange Online, any organization that still uses this authentication method to connect AskCody to their Microsoft Exchange Online will immediately see a disruption to AskCody’s functionality, since AskCody will fail to connect to Microsoft Exchange Online.

Retiring Basic Authentication for Microsoft Exchange Online will not only impact AskCody, but all third-party applications connected to Microsoft Exchange Online using Basic Authentication. Therefore, customers will see a major impact on third-party applications, if they don’t change.

How does this affect you as a Customer?

AskCody customers still using Basic Authentication (Service Account, Username, and Password) to authenticate the AskCody connection and integration with Microsoft Exchange Online.

Customers and organizations using Modern Authentication are not affected and can ignore this announcement.

What do Customers and organizations need to do now?  

If you are already using Basic Auth for integrating Exchange Online with AskCody, you can continue using Basic Authentification for now, until Microsoft announces a new date for retiring Basic Auth.

Microsoft will though disable Basic Authentication for newly created Exchange Online tenants by default and begin to disable Basic Authentication in tenants that have no recorded usage starting October 2020.  This means, that signing up on AskCody starting October 2020, requires Modern Auth for integrating with Exchange Online.

Even though the retirement of Basic Authentication is postponed, we recommend customers and organizations to plan for that switch now. 

Go to your AskCody Admin Portal and follow this guide to switch accordingly. No AskCody services or features will be impacted by doing the switch. 

 

Switch to Modern Auth

Is Microsoft Exchange Server (On-prem) affected?

Basic Authentication for Microsoft Server (On-prem) is not affected or impacted by this. Customers on Microsoft Exchange Server are not impacted or affected.

Next step

We understand changes like this may cause some inconvenience, but we are confident it will ensure more secure, reliable, and performant experiences, not just for AskCody but for all third-party applications integrated with Microsoft Exchange Online. The deprecation of Basic Authentication for Microsoft Exchange Online follows Microsoft service deprecation policies.

We're here to help if you need it. If you have any questions, please let us know.

Thank you in advance for updating your AskCody setup in time to avoid any disruption in the performance and use of your AskCody Platform.