Microsoft Basic Auth vs Microsoft OAuth
How to migrate from Basic Authentication to OAuth.
Tasia Potasinski | May 5, 2020
Microsoft has begun to officially deprecate Basic Authentication for many Exchange Online protocols, including Exchange Web Services (EWS) and Exchange ActiveSync (EAS). Applications that sync Microsoft Online accounts should begin migrating to Modern Authentication today to make the transition as smooth as possible for your users.
In this guide, we’ll discuss how to best support migration from Basic Auth to OAuth, including:
Want a PDF of this article?
Share it with a friend or save it for later reading.
We'll send the PDF straight to your inbox!
- Basic Auth vs OAuth: Key Differences
- Microsoft’s Timeline
- Enhance Security and Lower Maintenance with the Nylas APIs
- How to get better support for your Microsoft integration
Last Updated: April 8th, 2021
Basic Authentication vs. OAuth: Key Differences
Microsoft is moving away from the password-based Basic Authentication in Exchange Online and will be disabling it in the near future. Instead, applications will have to use the OAuth 2.0 token-based Modern Authentication to continue with these services. Microsoft uses a lot of protocols, but not all will be affected. The ones that will be included:
- Exchange Web Services (EWS)
- Exchange ActiveSync (EAS)
- Remote PowerShell
Note that for now, Microsoft will not be disabling Basic Authentication for the following protocols:
- Exchange Server
What is Basic Authentication?
Imagine the information of a user’s account having physically manifested in all the rooms of their house. In one room is all their contact information, another is a box of signed letterhead with their name on it, and so on. To show someone what’s in their house, they’ll have to give them a house key, and thus anyone who has that key will have access to the house at any time. This is essentially what Basic Authentication is, but with a username and password (a user’s credentials) being the key.
Basic authentication only requires a user’s credentials to access their account. The user’s credentials are sent from the application for *every request*. While this is straightforward, this process can leave their credentials, and thus their account, vulnerable.
Here are a few ways basic authentication is lacking:
- If the connection is not secured through TLS, the password could be intercepted
- If multi-factor authentication is not set up (as is typical with Basic Authentication) there are no additional safeguards preventing people who now have the credentials from accessing the account
- Their credentials give access to all resources associated with their account
- Their credentials can be used by anyone, at anytime
So why is Microsoft deprecating basic authentication? They believe it’s not an effective enough security method for today’s users.
What is Modern Authentication?
Now imagine all of a user’s account information is instead physically manifested in different offices in a building. Anyone who wants to enter an office needs to swipe their ID card. This ID card was given to them when starting at a company and knows the areas they need to access. This ID might also expire, so when they move on and no longer need access to the building, they lose that access. This is similar to how Modern Authentication works, where an ID card is roughly equivalent to a token given to an application by the provider of the user’s account.
Modern Authentication is based on OAuth 2.0. You’ve most likely encountered this type of authentication before if you’ve ever used the “Sign in with [Account]” button to allow an application to access your account or verify your identity. What makes it different from Basic Authentication?
Modern Authentication uses tokens provided by an identity provider (for example, Microsoft), instead of the actual password of the user’s account (such as their Microsoft account). Tokens are more secure than passwords as they contain specific bits of information, known as claims. These specify additional rules for accessing the account, such as
- An expiration date
- Which application can use the token
These rules provide a lot more control over what can be done with a user’s account and its information.
Accessing Specific Information
What if someone only wants a user to access the information in a single building? They’d want to authorize their ID card to let them swipe into only that building and none others. This is possible to do with Modern Authentication by adding granular scopes, something Nylas offers.
Due to the COVID-19 crisis, however, Microsoft decided to give customers more time to move away from Basic Authentication and pushed back its deprecation. In Februrary 2021 Microsoft announced they are postponing Basic Authentication end of life indefinitely for existing tenants, but that they will continue to disable the feature for inactive customers.
Here’s the deadlines:
- After October 2020 – any new or inactive tenants of Exchange Online will have Basic Authentication disabled by default.
- TBD – Microsoft will provide 12 months’ notice for the official date that Basic Authentication will be disabled for all active Exchange Online users.
If you’re an existing Nylas customer actively using Microsoft accounts, you won’t be affected until the second half of 2021. At that point, you’ll need to switch over to Modern Authentication. You don’t have to wait, though. Nylas already supports Modern Authentication for Microsoft accounts (and others, like Google’s), so you can get these improved security features now. Let’s go over what that entails.
Enhance Security and Lower Maintenance with the Nylas APIs
The Nylas APIs connect your application to every email, calendar, and contacts provider in a scalable way – no maintenance required. On average, it takes over 19,000 hours and approximately $1.2M in development costs to integrate with Microsoft Exchange alone, and piling on other providers drastically increases the costs.
With Nylas, you can integrate with our modern REST API once and connect to every provider in less than 18 days. Nylas is SOC 2 certified, EU Privacy Shield certified, and employs GDPR compliant processes. Our suite of email, calendar, and contacts APIs are easier to integrate with and to maintain over time.
Refine Data Access With Nylas Authentication Scopes
Another benefit to integrating with Nylas over provider-specific APIs is authentication Scopes. By using authentication scopes, you get the benefits of:
- Syncing only the data your users need
- Enabling your users to know exactly what is being synced
- Controlling which actions (like read, edit & send) can be performed on specific parts of your users’ data
It’s always a security best practice to only sync only what is needed, and we can help you do so with both Microsoft’s Exchange ActiveSync and Exchange Web Service protocols.
For more information on taking advantage of OAuth with Nylas, check out our OAuth Support for Office 365 Accounts resource.
Support When You Need It
Fortunately, Microsoft seems astutely aware of the impact this deprecation will have for many of their users. If you’ve got a question for them, they’re encouraging admins and users to chime in on their blog posts.
And as always, Nylas is here to help you stay connected. As the date approaches, we’ll be following up with more information on the matter. In the meantime, be sure to check out the rest of our support documentation for in-depth guides and articles. You’re always welcome to drop us a question directly with our support team as well.