Secure Office 365 backups with OAuth 2.0

By Mayank Joshi • October 29, 2019

Security is paramount for Office 365 as it evolves to be the backbone for collaboration for organizations of all sizes. Both internal and external stakeholders share information that is vital to the functioning of the organization. It’s important to align with best practices to enhance the security around the most critical business information.

Defining Office 365 Authentication and Authorization

In a security framework, authentication and authorization define who can access the data and via what mechanisms. And while authorizations are specific to an organization, all organizations can easily strive to be more secure by implementing secure authentication mechanisms.

For backing up Office 365 data, especially mailboxes, Microsoft supports two different interfaces – an older Exchange Web Services (EWS) API and a newer Graph API. While Graph API is the more secure and preferred option for communication with 365, there are functionalities that are still only supported by EWS API and so it’s important to implement security for the EWS API too.

EWS API shares its roots with on-premises Exchange and supports basic authentication via username and password. Microsoft extended the use of EWS to Exchange Online too, and so Exchange Online has supported basic authentication from the start. Microsoft introduced strong authentication to EWS along similar lines to Graph APIs and has been encouraging organizations to embrace that. Microsoft discusses the authentication mechanism and pros and cons of using them under Authentication and EWS in Exchange, but a summary of comparison between basic and strong authentication is below.

Microsoft Authentication: Basic vs. Strong

Basic Authentication Strong Authentication
  • Requires your application to collect and store the user’s credentials
  • If a security breach occurs in your application, it can expose the user’s email address and password to the attacker
  • Based on OAuth, an industry-standard authentication protocol
  • Authentication is managed by a third-party provider. Your application does not have to collect and store the Exchange credentials
  • Application only receives an opaque token from the authentication provider security breach in the application can only expose the token, not the user’s Exchange credentials

 

Microsoft Graph is the de facto integration API for OneDrive for Business and SharePoint Online services, and leverages strong authentication. Further, Microsoft announced decommissioning of basic authentication for EWS APIs on 13th October, 2020. So, the message is loud and clear that they want the applications to use OAuth 2.0 for EWS APIs as well.

Cohesity’s Office 365 data protection offering leverages both EWS and Graph API when interacting with Office 365. And we align with Microsoft in supporting the best practices to secure Office 365 communications, either via EWS or Graph. So, Cohesity DataProtect supports OAuth 2.0 authentication for Microsoft Office 365 backup solution. Customers can enable OAuth 2.0 while registering the Office 365 source on a Cohesity DataPlatform cluster.

Enable OAuth at Source Registration to Use OAuth Authentication Workflow.

Enable OAuth at Source Registration to Use OAuth Authentication Workflow.

 

Cohesity’s Saurabh Singh and Mayank Joshi co-authored this blog.