OAuth? Oh yes! Modern Authentication will be required for Exchange Online, so get ready

Many firms and organizations (including Kraft Kennedy!) have embraced Exchange Online over the past five years. Not worrying about on-premises Exchange storage and redundancy is often reason-enough for firms to make the jump. However the change to the cloud brings with it security concerns as any integrated application must now connect over the internet to the Exchange Online environment, rather than directly to the on-premises Exchange environment. That means that even other on-premise applications and scripts need to reach out to the cloud to connect to a user’s mailbox. For years, Microsoft allowed Basic Authentication to Exchange Online, meaning that all that was required was a username and password. However, as a means of increasing security, Microsoft has announced plans to end the ability to connect to Exchange Online with Basic Authentication, and start requiring OAuth 2.0 (also known as Modern Authentication) instead. OAuth is an open standard that is used for many applications and websites that can grant access to other system’s information but without giving them the password.

Originally, the cutoff date for Basic Authentication was supposed to be October 2020. However, due to COVID-19, Microsoft has decided to push back this date until the second half of 2021. While this does give everyone some more time to adjust, it still means that firms will need to reconfigure any applications that integrate with Exchange Online to use Modern Authentication instead.

This will require vendors of third-party applications that integrate with Exchange Online to support Modern Authentication. This may require new versions of, or patches to, existing applications, which may in turn require other components to be upgraded or reconfigured.

This summer is the time to begin looking at your applications that integrate with Exchange Online, and ensuring you can plan out what is needed to get them configured for Modern Authentication before the 2021 deadline arrives. After that date, any application with Basic Authentication will stop working properly.