Microsoft Basic Auth vs Microsoft OAuth

Microsoft Basic Auth vs Microsoft OAuth

How to migrate from Basic Authentication to OAuth.

Tasia Potasinski | May 5, 2020

Starting in the second half of 2021, Microsoft will officially be deprecating Basic Authentication for many Exchange Online protocols, including Exchange Web Services (EWS) and Exchange ActiveSync (EAS). Applications that sync Microsoft Online accounts should begin migrating to Modern Authentication today to make the transition as smooth as possible for your users.

In this guide, we’ll discuss how to best support migration from Basic Auth to OAuth, including:

  1. Basic Auth vs OAuth: Key Differences
  2. Microsoft’s Timeline
  3. Enhance Security and Lower Maintenance with the Nylas APIs
  4. How to get better support for your Microsoft integration

Basic Authentication vs. OAuth: Key Differences

Microsoft is moving away from the password-based Basic Authentication in Exchange Online and will be disabling it in the near future. Instead, applications will have to use the OAuth 2.0 token-based Modern Authentication to continue with these services. Microsoft uses a lot of protocols, but not all will be affected. The ones that will be included:

  • Exchange Web Services (EWS)
  • Exchange ActiveSync (EAS)
  • POP
  • IMAP
  • Remote PowerShell

Note that for now, Microsoft will not be disabling Basic Authentication for the following protocols:

  • SMTP 
  • Exchange Server

What is Basic Authentication?

Imagine the information of a user’s account having physically manifested in all the rooms of their house. In one room is all their contact information, another is a box of signed letterhead with their name on it, and so on. To show someone what’s in their house, they’ll have to give them a house key, and thus anyone who has that key will have access to the house at any time. This is essentially what Basic Authentication is, but with a username and password (a user’s credentials) being the key.

Basic authentication only requires a user’s credentials to access their account. The user’s credentials are sent from the application for *every request*. While this is straightforward, this process can leave their credentials, and thus their account, vulnerable.  

Here are a few ways basic authentication is lacking:

  • If the connection is not secured through TLS, the password could be intercepted
  • If multi-factor authentication is not set up (as is typical with Basic Authentication) there are no additional safeguards preventing people who now have the credentials from accessing the account
  • Their credentials give access to all resources associated with their account
  • Their credentials can be used by anyone, at anytime

So why is Microsoft deprecating basic authentication? They believe it’s not an effective enough security method for today’s users.

What is Modern Authentication?

Now imagine all of a user’s account information is instead physically manifested in different offices in a building. Anyone who wants to enter an office needs to swipe their ID card. This ID card was given to them when starting at a company and knows the areas they need to access. This ID might also expire, so when they move on and no longer need access to the building, they lose that access. This is similar to how Modern Authentication works, where an ID card is roughly equivalent to a token given to an application by the provider of the user’s account.

Modern Authentication is based on OAuth 2.0. You’ve most likely encountered this type of authentication before if you’ve ever used the “Sign in with [Account]” button to allow an application to access your account or verify your identity. What makes it different from Basic Authentication?

Modern Authentication uses tokens provided by an identity provider (for example, Microsoft), instead of the actual password of the user’s account (such as their Microsoft account). Tokens are more secure than passwords as they contain specific bits of information, known as claims. These specify additional rules for accessing the account, such as

  • An expiration date
  • Which application can use the token

These rules provide a lot more control over what can be done with a user’s account and its information. 

Accessing Specific Information

What if someone only wants a user to access the information in a single building? They’d want to authorize their ID card to let them swipe into only that building and none others. This is possible to do with Modern Authentication by adding granular scopes, something Nylas offers. 

Microsoft’s Timeline

  • In July 2018, Microsoft announced they will be disabling Basic Authentication in Exchange Web Services on October 13th, 2020.
  • In September 2019, they announced other Exchange Online protocols will be disabled on October 13th, 2020 as well.

Due to the COVID-19 crisis, however, Microsoft decided to give customers more time to move away from Basic Authentication and pushed back its deprecation. Here’s what the new deadlines are:

  • After October 2020, any new or inactive tenants of Exchange Online will have Basic Authentication disabled by default.
  • In the second half of 2021, active Exchange Online users will have Basic Authentication disabled.

If you’re an existing Nylas customer actively using Microsoft accounts, you won’t be affected until the second half of 2021. At that point, you’ll need to switch over to Modern Authentication. You don’t have to wait, though. Nylas already supports Modern Authentication for Microsoft accounts (and others, like Google’s), so you can get these improved security features now. Let’s go over what that entails.

Enhance Security and Lower Maintenance with the Nylas APIs

The Nylas APIs connect your application to every email, calendar, and contacts provider in a scalable way – no maintenance required. On average, it takes over 19,000 hours and approximately $1.2M in development costs to integrate with Microsoft Exchange alone, and piling on other providers drastically increases the costs.

With Nylas, you can integrate with our modern REST API once and connect to every provider in less than 18 days. Nylas is SOC 2 certified, EU Privacy Shield certified, and employs GDPR compliant processes. Our suite of email, calendar, and contacts APIs are easier to integrate with and to maintain over time.

Refine Data Access With Nylas Authentication Scopes

Another benefit to integrating with Nylas over provider-specific APIs is authentication Scopes. By using authentication scopes, you get the benefits of:

  • Syncing only the data your users need
  • Enabling your users to know exactly what is being synced
  • Controlling which actions (like read, edit & send) can be performed on specific parts of your users’ data

It’s always a security best practice to only sync only what is needed, and we can help you do so with both Microsoft’s Exchange ActiveSync and Exchange Web Service protocols.

For more information on taking advantage of OAuth with Nylas, check out our OAuth Support for Office 365 Accounts resource.

Support When You Need It

Fortunately, Microsoft seems astutely aware of the impact this deprecation will have for many of their users. If you’ve got a question for them, they’re encouraging admins and users to chime in on their blog posts.

And as always, Nylas is here to help you stay connected. As the date approaches, we’ll be following up with more information on the matter. In the meantime, be sure to check out the rest of our support documentation for in-depth guides and articles. You’re always welcome to drop us a question directly with our support team as well.

About the Author

Tasia is the Director of Product Marketing at Nylas. She's passionate about communications and helping connect the world through APIs. In her free time, she writes and produces music.

Ready to Start Building?