Today, AskCody accesses data in Microsoft Exchange (both on-premises versions and Exchange Online as part of Office 365) through Exchange Web Services (EWS) using Basic Authentication. This authentication method uses the username and password of a service account created in Exchange and connected through the AskCody Admin Center. (The password is stored encrypted in Azure Key Vault as described in this article.)
However, the Microsoft Exchange Team announced in July 2018 that support for Basic Authentication in Exchange Online will end on October 13th, 2020. Instead, Microsoft now recommends the use of Modern Authentication, which is based on the widely used OAuth 2.0 protocol. This is more secure because Modern Authentication doesn’t require a service account, and therefore doesn’t involve a password that can be compromised.
What is the difference between Basic and Modern Authentication?
Basic Authentication requires that you share a username and password of an Exchange service account with AskCody when connecting AskCody to Exchange (As mentioned above, the password is stored encrypted in Azure Key Vault.) These credentials are then used to connect to Exchange Web Services (EWS) to access data in Exchange.
With Modern Authentication, there is no Exchange service account and no credentials are shared with AskCody connecting AskCody with Exchange. Instead, a Global Administrator in your organization grants permissions to the AskCody EWS application through an OAuth 2.0 flow in Azure Active Directory. The AskCody EWS application can then access EWS using a certificate-based authentication flow.
How access to mailboxes is configured is also different between Basic and Modern Authentication. With Basic Authentication, the Exchange service account is granted access to relevant mailboxes through delegation or using the Application Impersonation role. With Modern Authentication, the Use Exchange Web Services with full access to all mailboxes permission is granted to the AskCody EWS application as part of the consent flow. Using this authentication method Application Impersonation is therefore no longer required which is a major step forward in securing that no service account can be compromised. The need for an Application Impersonation Service account for web applications to connect to Exchange is therefore no longer a hot topic in your IT and Security organization.
Who can use Modern Authentication instead for Basic Authentication?
Using OAuth as authentication method is only available if you are on Exchange Online. If you are running Exchange Server, basic authentication is still the only authentication method available.
How does this affect you now?
If your organization uses Exchange Online as part of Office 365, you can now switch to Modern Authentication. You will need to do this before support for Basic Authentication ends on October 13th, 2020. Using AskCody with Exchange Online using Modern Authentication makes the access to Exchange more secure and reliable and removes the potential of a password being compromised.
What do you have to do now?
Consider switching to Modern Authentication if your organization uses Exchange Online as part of Office 365, especially if your organization considers turning off support for Basic Authentication.
What should you be aware of?
Be aware that the AskCody EWS application will effectively have full access to users’ mailboxes, (equal to unscoped Application Impersonation) if this authentication method is chosen with the full access to all mailboxes permission granted to the AskCody EWS application. If you have a scoped Application Impersonation role today, you therefore need to take this into consideration. That said, the data the AskCody EWS application is accessing is still controlled and regulated by the data processing agreement as entered with all AskCody customers, meaning there is no change in which data AskCody access or process on behalf of the data controller.
What is the news and updates from Microsoft on Exchange Web Services?
Exchange Web Services will continue to be available, even though Microsoft is deprecating it, which means it'll no longer actively develop the service. Security updates and nonsecurity updates, though, will continue to arrive for Exchange Web Services, even though Microsoft has no plans to add new features going forward, with Microsoft Graph being the new standard for Exchange Online.
Can we still use EWS in production environments?
Organizations can continue to use Exchange Web Services in production environments. The main catch concerns Basic Authentication, which has a hard stopping point. Organizations that have "hybrid" Exchange setups (that is, they use both Exchange Server and Exchange Online together) are currently using Exchange Web Services to call into Exchange Online, but such setups don't use Basic Authentication, so they won't be affected by Microsoft's policy change, according to the Exchange Team's FAQ.
“….With Modern Authentication, the Use Exchange Web Services with full access to all mailboxes permission is granted to the AskCody EWS application as part of the consent flow.” Why is full access to all mailboxes needed?
Modern Auth (OAuth authentication) for EWS is only available in Exchange Online as part of Office 365. EWS applications using OAuth requires the "Full access to user's mailbox" permission to work. Full Mailbox Access is therefore the only permission type that can be granted for EWS Applications. Please see: https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth
With Modern Authentication, there is no longer an Exchange service account and no credentials are shared with AskCody connecting AskCody with Exchange. Instead, a Global Administrator in your organization grants permissions to the AskCody EWS application through an OAuth 2.0 flow in Azure Active Directory. The AskCody EWS application can then access EWS using a certificate-based authentication flow. The "Full access to user's mailbox" permission is the only available permission type, and is therefore required.
The AskCody EWS application is registered in Azure AD following best practices for accessing EWS using the OAuth 2.0 protocol because it’s required that the application must have an application ID issued by Azure Active Directory.
That said, the data the AskCody EWS application is accessing is still controlled and regulated by the data processing agreement as entered with all AskCody customers, meaning there is no change in which data AskCody access or process on behalf of the data controller.
When is it available
Now. Log in to you AskCody Management Portal and switch to Modern Authentication.