Oct 29, 2019|3 min|Technology

Secure Office 365 backups with OAuth 2.0

Security is paramount for Office 365 as it evolves to be the backbone for collaboration for organizations of all sizes. Both internal and external stakeholders share information that is vital to the functioning of the organization. It’s important to align with best practices to enhance the security around the most critical business information.

Defining Office 365 Authentication and Authorization

In a security framework, authentication and authorization define who can access the data and via what mechanisms. And while authorizations are specific to an organization, all organizations can easily strive to be more secure by implementing secure authentication mechanisms.

For backing up Office 365 data, especially mailboxes, Microsoft supports two different interfaces – an older Exchange Web Services (EWS) API and a newer Graph API. While Graph API is the more secure and preferred option for communication with 365, there are functionalities that are still only supported by EWS API and so it’s important to implement security for the EWS API too.

EWS API shares its roots with on-premises Exchange and supports basic authentication via username and password. Microsoft extended the use of EWS to Exchange Online too, and so Exchange Online has supported basic authentication from the start. Microsoft introduced strong authentication to EWS along similar lines to Graph APIs and has been encouraging organizations to embrace that. Microsoft discusses the authentication mechanism and pros and cons of using them under Authentication and EWS in Exchange, but a summary of comparison between basic and strong authentication is below.

Microsoft Authentication: Basic vs. Strong

Basic Authentication Strong Authentication
  • Requires your application to collect and store the user’s credentials
  • If a security breach occurs in your application, it can expose the user’s email address and password to the attacker
  • Based on OAuth, an industry-standard authentication protocol
  • Authentication is managed by a third-party provider. Your application does not have to collect and store the Exchange credentials
  • Application only receives an opaque token from the authentication provider security breach in the application can only expose the token, not the user’s Exchange credentials

 

Microsoft Graph is the de facto integration API for OneDrive for Business and SharePoint Online services, and leverages strong authentication. Further, Microsoft announced decommissioning of basic authentication for EWS APIs on 13th October, 2020. So, the message is loud and clear that they want the applications to use OAuth 2.0 for EWS APIs as well.

Cohesity’s Office 365 data protection offering leverages both EWS and Graph API when interacting with Office 365. And we align with Microsoft in supporting the best practices to secure Office 365 communications, either via EWS or Graph. So, Cohesity DataProtect supports OAuth 2.0 authentication for Microsoft Office 365 backup solution. Customers can enable OAuth 2.0 while registering the Office 365 source on a Cohesity DataPlatform cluster.

Enable OAuth at Source Registration to Use OAuth Authentication Workflow.
Enable OAuth at Source Registration to Use OAuth Authentication Workflow.

 

Cohesity’s Saurabh Singh and Mayank Joshi co-authored this blog.

Written by

mayank-cohesity-blog

Mayank Joshi

Product Line Manager - Data Protection & Management

mayank-cohesity-blog

Mayank Joshi

Product Line Manager - Data Protection & Management

Mayank leads Product Management on Data Protection solutions for SaaS workloads like M365, and other Modern Workloads like the NoSQL databases. He also leads product management for the Cohesity Indexing infrastructure that powers the famed Cohesity search.

You may also like

resource
Blog

Cohesity Cloud Services expands to support workloads in Microsoft Azure

X image
Icon ionic ios-globe

You are now leaving the German section of www.cohesity.com/de/ and come to an English section of the site. Please click if you want to continue.

Don't show this warning again

Icon ionic ios-globe

You are now leaving the German section of www.cohesity.com/de/ and come to an English section of the site. Please click if you want to continue.

Don't show this warning again