question

maggie23-uipath avatar image
0 Votes"
maggie23-uipath asked maggie23-uipath commented

Basic Authentication Deprecation in Microsoft Graph API?

As per Microsoft, Basic Authentication will be deprecated in Exchange Online effective October 1, 2022. This ability will be removed from Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Outlook for Windows, and Mac.

I know it is not listed, but I want to double check if anybody knows for certain if the ability to authenticate with username/password to a Microsoft O365 application via the Microsoft Graph API will be removed. It is worth noting that this application will have access to Exchange mailboxes, which is where the confusion comes in if Microsoft's deprecation statement about Exchange Online will affect this flow or not.

There is a note that talks about disabling Basic Authentication in cloud environments that may include this ask, but it is not clear to me. The note in Microsoft's notice is as follows:


In Office 365 Operated by 21Vianet, we will begin disabling Basic authentiction on March 31, 2023. All other cloud environments are subject to the October 1, 2022 date.


azure-ad-app-registrationazure-ad-graphazure-app-configurationmicrosoft-graph-authentication
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

grtaylor avatar image
2 Votes"
grtaylor answered maggie23-uipath commented

The ROPC grant is not affected by the deprecation of Basic Auth from Exchange Online. Only direct connections to Exchange with basic creds are affected. ROPC might not be recommended, but there are still more safeguards (app registration, consent, scope etc) with it, than there are with traditional username/password.

· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

michev avatar image michev ·

Thank you Greg!

1 Vote 1 ·
maggie23-uipath avatar image maggie23-uipath michev ·

Thank you, @grtaylor!

0 Votes 0 ·
michev avatar image
1 Vote"
michev answered maggie23-uipath commented

Do you mean using the ROPC flow?

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

maggie23-uipath avatar image maggie23-uipath ·

Hi @michev, I believe you might be right that the ROPC flow is what is being used. To clarify, the specific workflow I have in mind using this authentication method is using the Microsoft identity platform to establish an authenticated connection to a Microsoft O365 application registered in Azure AD. The connection enables a service authenticating with username/password to call the Microsoft Graph API to read and write resources on a user's behalf. This registered application in particular will have access to Exchange Online mailboxes. That is where my confusion comes in on whether or not this Basic Authentication flow will be decommissioned in October 2022 or not.

0 Votes 0 ·
michev avatar image michev maggie23-uipath ·

I'm not 100% sure about the answer here. It's technically OAuth, so not considered basic auth, but it's also certainly not a recommended approach (you can see the big warning in the documentation). Whether Microsoft has any plans to block it specifically in the context of Exchange Online in the timeframes outlined above, I cannot tell. I've pinged an MS source on this and will circle back once I have an answer.

1 Vote 1 ·
maggie23-uipath avatar image maggie23-uipath michev ·

Hi @michev, thank you very much. I'm looking forward to hearing back from you and your Microsoft resource.

0 Votes 0 ·