- Products
- Solutions Use casesBy industry
- Developers
- Resources Connect
Email API
Calendar API
Scheduler
Contacts API
ExtractAI
Salesforce email integration
Google email & calendar integration
Outlook email & calendar integration
IMAP integration
Calendar management
Embedded contextual email
Scheduling automation
Automated outreach
Intelligent data extraction
Ecommerce
Telehealth
Real estate
Financial technology
Educational technology
Expense management
Customer relationship management
Applicant tracking system
Communications platform
Marketplaces
Document management
Docs
SDKs
Tutorials
API status
Changelog
Support
Blog
Events
Guides
Inspiration gallery
Partners
Build vs. buy
Customer stories
Security & Compliance
Why Nylas
Newsroom
Microsoft Basic Auth vs Microsoft OAuth
• 6 min read
Microsoft has begun to officially deprecate Basic Authentication for many Exchange Online protocols, including Exchange Web Services (EWS) and Exchange ActiveSync (EAS). Applications that sync Microsoft Online accounts should begin migrating to Modern Authentication today to make the transition as smooth as possible for your users.
In this guide, we’ll discuss how to best support migration from Basic Auth to OAuth, including:
Last Updated: April 8th, 2021
Microsoft is moving away from the password-based Basic Authentication in Exchange Online and will be disabling it in the near future. Instead, applications will have to use the OAuth 2.0 token-based Modern Authentication to continue with these services. Microsoft uses a lot of protocols, but not all will be affected. The ones that will be included:
Note that for now, Microsoft will not be disabling Basic Authentication for the following protocols:
Imagine the information of a user’s account having physically manifested in all the rooms of their house. In one room is all their contact information, another is a box of signed letterhead with their name on it, and so on. To show someone what’s in their house, they’ll have to give them a house key, and thus anyone who has that key will have access to the house at any time. This is essentially what Basic Authentication is, but with a username and password (a user’s credentials) being the key.
Basic authentication only requires a user’s credentials to access their account. The user’s credentials are sent from the application for *every request*. While this is straightforward, this process can leave their credentials, and thus their account, vulnerable.
Here are a few ways basic authentication is lacking:
So why is Microsoft deprecating basic authentication? They believe it’s not an effective enough security method for today’s users.
Now imagine all of a user’s account information is instead physically manifested in different offices in a building. Anyone who wants to enter an office needs to swipe their ID card. This ID card was given to them when starting at a company and knows the areas they need to access. This ID might also expire, so when they move on and no longer need access to the building, they lose that access. This is similar to how Modern Authentication works, where an ID card is roughly equivalent to a token given to an application by the provider of the user’s account.
Modern Authentication is based on OAuth 2.0. You’ve most likely encountered this type of authentication before if you’ve ever used the “Sign in with [Account]” button to allow an application to access your account or verify your identity. What makes it different from Basic Authentication?
Modern Authentication uses tokens provided by an identity provider (for example, Microsoft), instead of the actual password of the user’s account (such as their Microsoft account). Tokens are more secure than passwords as they contain specific bits of information, known as claims. These specify additional rules for accessing the account, such as
These rules provide a lot more control over what can be done with a user’s account and its information.
What if someone only wants a user to access the information in a single building? They’d want to authorize their ID card to let them swipe into only that building and none others. This is possible to do with Modern Authentication by adding granular scopes, something Nylas offers.
Due to the COVID-19 crisis, however, Microsoft decided to give customers more time to move away from Basic Authentication and pushed back its deprecation. In Februrary 2021 Microsoft announced they are postponing Basic Authentication end of life indefinitely for existing tenants, but that they will continue to disable the feature for inactive customers.
Here’s the deadlines:
If you’re an existing Nylas customer actively using Microsoft accounts, you won’t be affected until the second half of 2021. At that point, you’ll need to switch over to Modern Authentication. You don’t have to wait, though. Nylas already supports Modern Authentication for Microsoft accounts (and others, like Google’s), so you can get these improved security features now. Let’s go over what that entails.
The Nylas APIs connect your application to every email, calendar, and contacts provider in a scalable way – no maintenance required. On average, it takes over 19,000 hours and approximately $1.2M in development costs to integrate with Microsoft Exchange alone, and piling on other providers drastically increases the costs.
With Nylas, you can integrate with our modern REST API once and connect to every provider in less than 18 days. Nylas is SOC 2 certified, EU Privacy Shield certified, and employs GDPR compliant processes. Our suite of email, calendar, and contacts APIs are easier to integrate with and to maintain over time.
Another benefit to integrating with Nylas over provider-specific APIs is authentication Scopes. By using authentication scopes, you get the benefits of:
It’s always a security best practice to only sync only what is needed, and we can help you do so with both Microsoft’s Exchange ActiveSync and Exchange Web Service protocols.
For more information on taking advantage of OAuth with Nylas, check out our OAuth Support for Office 365 Accounts resource.
Fortunately, Microsoft seems astutely aware of the impact this deprecation will have for many of their users. If you’ve got a question for them, they’re encouraging admins and users to chime in on their blog posts.
And as always, Nylas is here to help you stay connected. As the date approaches, we’ll be following up with more information on the matter. In the meantime, be sure to check out the rest of our support documentation for in-depth guides and articles. You’re always welcome to drop us a question directly with our support team as well.
Building security by design is crucial, especially for startups and small businesses, where resources are…
In a time where cyber threats are increasingly sophisticated and frequent, fostering a security-first culture…
At Nylas, our information security team took action to investigate the Log4j vulnerability and found that our codebases were not impacted. As the incident unfolds, see how Nylas responded to identify the impact and protect customer data.
Tasia is the Director of Product Marketing at Nylas. She's passionate about communications and helping connect the world through APIs. In her free time, she writes and produces music.