Only show these results:

Microsoft Exchange Online and Basic Auth Changes

Microsoft will be deprecating Basic Authentication support for all Exchange Online accounts as of October 1, 2022.

This affects:

  • Exchange Online Accounts (Microsoft 365/Office 365)
  • Exchange Server Accounts in a Hybrid Deployment

This will not affect:

  • Personal Accounts such as Outlook, Hotmail, live.com and MSN.

You can read the announcement from Microsoft to learn more.

Dates to Know

April 1, 2022: Nylas strongly encourages creating an Azure app for all new and existing customers that authenticate Exchange Online (Microsoft 365) accounts to prevent service disruption for your customers. This is due to the following policy being executed by Microsoft:

Starting April 1: Sometime in second quarter of 2022 (April 1) Microsoft will selectively pick tenants and disable Basic Auth for all affected accounts for a period of 12-48 hours. After this time, Basic Auth for these protocols will be re-enabled, if the tenant admin has not already re-enabled them using Microsoft’s self-service tools.

September 30, 2022: Nylas will stop supporting Basic Authentication for Exchange Online and Exchange Hybrid Deployment accounts for all Nylas applications.

October 1, 2022: Microsoft deprecates Basic Authentication for Exchange Online (Microsoft 365 accounts)

September 30, 2022

Nylas will invalidate the credentials for all existing exchange online accounts that are using Basic Authentication. Your customers will need to re-authenticate using OAuth to start syncing data again.

What Can You Do about These Changes?

You must take the following steps ensure there are no disruptions to your integration.

Create an Azure App

We will require an Azure app for all customers who want to sync Exchange Online accounts by April 30, 2022. You can follow the instructions for Creating an Azure App.

Ensure that you have the required Graph permissions below for services you use in addition to adding the EWS / EAS scopes you use today:

  • Email Messages Read only > Mail.Read
  • Email Messages Read and Write > Mail.ReadWrite
  • Email Send > Mail.Send
  • Calendar Read and Write > Calendar.ReadWrite
  • Contacts Read Only > Contacts.Read
  • Contacts Read and Write > Contacts.ReadWrite

Please keep the existing EWS/EAS scopes since we will be moving the services over in phases and it may cause interruptions to your integration if the EWS/EAS scopes are removed at this time. We will provide an update when the EWS scopes can be removed after the upgrade has been completed on our end.

Set Up OAuth Authentication

Once the Azure app is set up, all new Exchange Online & Microsoft 365 users will automatically be redirected to the OAuth process.

For existing users who have previously authenticated using Basic Auth, please follow the steps listed in the Re-authenticating Existing Users section.

If you are using Native authentication, you'll need to build an app that uses OAuth for all re-authenticated accounts and new authentications. You can learn more [https://developer.nylas.com/docs/the-basics/provider-guides/microsoft/microsoft-authentication/#modern-or-oauth-authentication]

What Is Oauth, and Why Is It Beneficial?

OAuth 2.0 is a modern, open standard for more secure authentication that doesn’t require sharing your actual password with third parties. It supports Single Sign On, Multi-factor authentication, granular scopes for access to end user data, and many other features to keep your data secure, while Basic password-based authentication doesn’t.

Re-Authenticating Existing Users

You'll need to reauthenticate all existing users using basic authentication.

Identifying the Affected Accounts

Use [GET /a/{client_id}/accounts](https://developer.nylas.com/docs/api/#get/a/client_id/accounts) endpoint and filter by provider=eas or provider=ews along with the authentication_method=password. This will return all accounts that currently authenticated using Basic Auth.

You will need to re-authenticate all of these accounts. Having the account email you can start hosted authentication including the login_hint , same can be done for Native Authentication.

An example Python script on how to use this API to iterate through all accounts and detect the accounts that need to be migrated:

import requests
import json
import base64

nylas_client_id="<CLIENT_ID>"
nylas_client_secret="<CLIENT_SECRET>"
auth_header = base64.b64encode(nylas_client_secret.encode("utf-8") + b":")

headers = {
  b'Content-Type': b'application/json',
  b'Authorization': b'Basic ' + auth_header
}

pagination_offset = 0
pagination_limit = 50
exchange_providers = ["eas", "ews"]
exchange_password_accounts = []

while True:
    url = "https://api.nylas.com/a/{}/accounts?offset={}&limit={}".format(nylas_client_id, pagination_offset, pagination_limit)
    response = requests.request("GET", url, headers=headers)

    if response.status_code != 200:
        break

    data = response.json()

    for account in data:
        if account.get("provider") in exchange_providers and account.get("authentication_type") == "password":
            exchange_password_accounts.append(account)

    if len(data) < pagination_limit:
        break

    pagination_offset += len(data)

print(exchange_password_accounts)

Re-auth Affected Users

Once you have identified the affected users, please go ahead and re-authenticate them using the Oauth flow.

What's Next?