Today, AskCody accesses data in Microsoft Exchange (both on-premises versions and Exchange Online as part of Office 365) through Exchange Web Services (EWS) using Basic Authentication. This authentication method uses the username and password of a service account created in Exchange and connected through the AskCody Admin Center. (The password is stored encrypted in Azure Key Vault as described in this article.)
However, the Microsoft Exchange Team announced in July 2018 that support for Basic Authentication in Exchange Online will end on October 13th, 2020. Instead, Microsoft now recommends the use of Modern Authentication, which is based on the widely used OAuth 2.0 protocol. This is more secure because Modern Authentication doesn’t require a service account, and therefore doesn’t involve a password that can be compromised.
What is the difference between Basic and Modern Authentication?
Basic Authentication requires that you share a username and password of an Exchange service account with AskCody when connecting AskCody to Exchange (As mentioned above, the password is stored encrypted in Azure Key Vault.) These credentials are then used to connect to Exchange Web Services (EWS) to access data in Exchange.
With Modern Authentication, there is no Exchange service account and no credentials are shared with AskCody connecting AskCody with Exchange. Instead, a Global Administrator in your organization grants permissions to the AskCody EWS application through an OAuth 2.0 flow in Azure Active Directory. The AskCody EWS application can then access EWS using a certificate-based authentication flow.
How to access to mailboxes is configured is also different between Basic and Modern Authentication. With Basic Authentication, the Exchange service account is granted access to relevant mailboxes through delegation or using the Application Impersonation role. With Modern Authentication, the Use Exchange Web Services with full access to all mailboxes permission is granted to the AskCody EWS application as part of the consent flow. Using this authentication method Application Impersonation is therefore no longer required which is a major step forward in securing that no service account can be compromised. The need for an Application Impersonation Service account for web applications to connect to Exchange is therefore no longer a hot topic in your IT and Security organization.
Who can use Modern Authentication instead for Basic Authentication?
Using OAuth as the authentication method is only available if you are on Exchange Online. If you are running Exchange Server, basic authentication is still the only authentication method available.
How does this affect you now?
If your organization uses Exchange Online as part of Office 365, you can now switch to Modern Authentication. You will need to do this before support for Basic Authentication ends on October 13th, 2020. Using AskCody with Exchange Online using Modern Authentication makes access to Exchange more secure and reliable and removes the potential of a password being compromised.
What do you have to do now?
Consider switching to Modern Authentication if your organization uses Exchange Online as part of Office 365, especially if your organization considers turning off support for Basic Authentication.
What should you be aware of?
Be aware that the AskCody EWS application will effectively have full access to users’ mailboxes, (equal to unscoped Application Impersonation) if this authentication method is chosen with the full access to all mailboxes permission granted to the AskCody EWS application. If you have a scoped Application Impersonation role today, you, therefore, need to take this into consideration. That said, the data the AskCody EWS application is accessing is still controlled and regulated by the data processing agreement as entered with all AskCody customers, meaning there is no change in which data AskCody access or process on behalf of the data controller.
Why using Modern Authentication requires a Global Admin account with a Mailbox authenticating the account
For connecting AskCody to Microsoft Exchange using Modern Authentication (Oauth), verifying that a mailbox exists for the user (the email address) is part of the validation and verification process. This ensures that a connection between the Exchange mailboxes and AskCody can be established.
In the AskCody Admin Center, when creating a connection to Exchange using Modern Authentication, AskCody verifies that connection by checking whether a mailbox exists for the email address of the user that is currently logged in to the AskCody Admin Center. The email address in question is shown in the upper right corner of any Admin Center page.
If a mailbox exists with that email address, the connection can be verified. If not, it can't. Therefore it is required that a Global Admin account has a mailbox.
The reason we check for a mailbox is that we want to make sure that we can actually access an Exchange mailbox when connecting AskCody to Microsoft Exchange. This is really important to prevent issues later on because Exchange mailboxes are the premise for all AskCody products and Full Access to all mailboxes is necessary for the AskCody products to function properly (see requirements for Full Access further down) Therefore, we developed Modern Authentication with the requirement for a Global Admin user with a mailbox.
This does not mean that the AskCody EWS application runs through the Global Admin account. The Global Admin account is only needed to approve the AskCody EWS application to access meeting data. Once approved the application will then check if it is able to access the Global Admin's mailbox. If this is possible the application has been authenticated and a connection between AskCody and Microsoft Exchange has been established.
This means that the Global Admin does not need to have a mailbox or even be an active user after the connection has been established unless the connection needs to be re-authenticated.
As an extreme example, it would be possible to create a new Global Admin with a mailbox, approve the AskCody EWS application, establish a connection and then delete the Global Admin account completely.
What is the news and updates from Microsoft on Exchange Web Services?
Exchange Web Services will continue to be available, even though Microsoft is deprecating it, which means it'll no longer actively develop the service. Security updates and nonsecurity updates, though, will continue to arrive for Exchange Web Services, even though Microsoft has no plans to add new features going forward, with Microsoft Graph being the new standard for Exchange Online.
Can we still use EWS in production environments?
Organizations can continue to use Exchange Web Services in production environments. The main catch concerns Basic Authentication, which has a hard stopping point. Organizations that have "hybrid" Exchange setups (that is, they use both Exchange Server and Exchange Online together) are currently using Exchange Web Services to call into Exchange Online, but such setups don't use Basic Authentication, so they won't be affected by Microsoft's policy change, according to the Exchange Team's FAQ.
“….With Modern Authentication, the Use Exchange Web Services with full access to all mailboxes permission is granted to the AskCody EWS application as part of the consent flow.” Why is full access to all mailboxes needed?
Modern Auth (OAuth authentication) for EWS is only available in Exchange Online as part of Office 365. EWS applications using OAuth requires the "Full access to users' mailbox" permission to work. Full Mailbox Access is, therefore, the only permission type that can be granted for EWS Applications. Please see: https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth
With Modern Authentication, there is no longer an Exchange service account and no credentials are shared with AskCody connecting AskCody with Exchange. Instead, a Global Administrator in your organization grants permissions to the AskCody EWS application through an OAuth 2.0 flow in Azure Active Directory. The AskCody EWS application can then access EWS using a certificate-based authentication flow. The "Full access to user's mailbox" permission is the only available permission type, and is therefore required.
The AskCody EWS application is registered in Azure AD following best practices for accessing EWS using the OAuth 2.0 protocol because it’s required that the application must have an application ID issued by Azure Active Directory.
That said, the data the AskCody EWS application is accessing is still controlled and regulated by the data processing agreement as entered with all AskCody customers, meaning there is no change in which data AskCody access or process on behalf of the data controller.
When is it available
Now. Log in to you AskCody Management Portal and switch to Modern Authentication.