Exchange Web Services Fossilizes, Loses Basic Authentication
Exchanged for a Graph –
The word is out. Exchange Web Services (EWS) will receive no more feature updates, though security and “certain non-security” updates will continue going forward. The same applies to EWS’s SDKs for Java and .NET. EWS will remain available and supported in production environments, but the lack of feature updates means that it will be—essentially—fossilized in its current state. Instead, Microsoft Graph will be the recipient of new features and updates.
Basic Authentication for EWS, however, will no longer be supported at all as of Oct 13, 2020. While convenient to use due to its prevalence, Basic Authentication has been declared too much of a risk in comparison to the security and utility of Oauth 2.0. After the 13th, new and existing apps won’t be able to connect to Exchange Online using Basic Authentication.
A question may instantly jump to mind. How do you know which apps use Basic Authentication to connect to Exchange Web Services? Users of Office 2019 or 2019 Pro Plus won’t have their Outlook access be affected, but what about other apps integrated in your tenant? The unfortunate news is that for now, at least, you’ll need to do the legwork yourself. Check in with the developers of any likely app to see how it authenticates into Exchange Online. In their post, Microsoft hints that at some point this may become an easier process, though when is anyone’s guess.
Note too that the decommissioning of Basic Authentication in EWS will only have implications for cloud-only environments. On-premises Exchange will be completely unaffected, as will hybrid Exchange’s token-based authentication method. An unexpected advantage of hybrid, to be sure.