Microsoft Exchange Online and Basic authentication
⛔️ As of October 1, 2022, Microsoft has deprecated Basic authentication support for all Exchange Online accounts. For more information, see the deprecation notes section.
This page details the changes to Microsoft Basic authentication and how to fix any issues you might encounter because of the change.
Deprecation notes for Microsoft Basic authentication
Microsoft deprecated Basic authentication for all Exchange Online accounts as of October 1, 2022. This affects Exchange Online accounts (Microsoft 365/Office 365) and Exchange Server Accounts in hybrid deployments.
The change doesn't affect personal accounts, such as those with the @outlook.com and @hotmail.com domains, or MSN accounts.
For more information, you can read Microsoft's official announcement.
How to prepare for these changes
You must take the following steps ensure there are no disruptions to your integration:
- Create an Azure application for your end users' Exchange Online accounts.
- Set up OAuth for your Microsoft application.
- Re-authenticate your end users.
Create an Azure application
As of April 30, 2022, Nylas requires you make a separate Azure application for all customers who want to sync Exchange Online accounts. You can follow the steps to create an Azure App.
In addition to adding the EWS / EAS scopes you use today, make sure that you have the required Graph permissions below for services you use:
- Email messages — Read only:
Mail.Read - Email messages — Read and Write:
Mail.ReadWrite - Send email messages:
Mail.ReadWrite,Mail.Send - Calendar — Read and Write:
Calendar.ReadWrite - Contacts — Read only:
Contacts.Read - Contacts — Read and Write:
Contacts.ReadWrite
Because Nylas will be moving the services in phases, you should keep your existing EWS/EAS scopes to avoid interruptions to your Microsoft integration. You'll be notified when you can remove the EWS scopes.
Set up Microsoft OAuth
Once your Azure app is set up, any new Exchange Online & Microsoft 365 users will be automatically redirected to the OAuth process.
For existing users who have previously authenticated using Basic Auth, follow the steps listed in the Re-Authenticating Existing Users section.
If you are using Native Authentication (called "Custom Authentication" in v3), you must build an app that uses OAuth for all re-authenticated accounts, as well as any new authentications. See the Nylas Microsoft Authentication guide for more information.
What is OAuth and why is it beneficial?
OAuth 2.0 is a modern, open standard for more secure authentication that doesn’t require sharing your credentials with third parties. It supports Single Sign On (SSO), Multi-Factor Authentication (MFA), granular scopes for access to end user data, and many other features to keep your data much more secure in comparison to password-based authentication, which provides none of these features.
Re-authenticate end users
You'll need to re-authenticate all existing users that are currently using Basic authentication.
Identify affected accounts
To identify affected accounts, use the /a/{client_id}/accounts endpoint and filter by provider=eas or provider=ews, along with the authentication_method=password. This will return all accounts that are currently authenticated using Basic authentication.
You'll need to re-authenticate all accounts that are returned. With the account email, you can start setting up Hosted auth by including the login_hint. If you'd prefer to use Native auth, you can set this up instead.
An example Python script on how to use this API to iterate through all accounts and detect the accounts that need to be migrated is below:
import requests
import json
import base64
nylas_client_id="<NYLAS_CLIENT_ID>"
nylas_client_secret="<NYLAS_CLIENT_SECRET>"
auth_header = base64.b64encode(nylas_client_secret.encode("utf-8") + b":")
headers = {
b'Content-Type': b'application/json',
b'Authorization': b'Basic ' + auth_header
}
pagination_offset = 0
pagination_limit = 50
exchange_providers = ["eas", "ews"]
exchange_password_accounts = []
while True:
url = "https://api.nylas.com/a/{}/accounts?offset={}&limit={}".format(nylas_client_id, pagination_offset, pagination_limit)
response = requests.request("GET", url, headers=headers)
if response.status_code != 200:
break
data = response.json()
for account in data:
if account.get("provider") in exchange_providers and account.get("authentication_type") == "password":
exchange_password_accounts.append(account)
if len(data) < pagination_limit:
break
pagination_offset += len(data)
print(exchange_password_accounts) Re-authenticate affected users
After you have identified the affected users, you'll need to re-authenticate them using the OAuth flow.