Automation 360 and Basic authentication deprecation FAQ

Microsoft has announced EOL for Basic authentication that is used to connect to Exchange Online. This will impact automations (bots) using Email package or Email trigger that uses Basic authentication. Review the FAQ for details about the deprecation of Basic authentication.

What is Basic authentication deprecation?: Microsoft has announced that starting October 1, 2022, Basic authentication will be permanently turned off (disabled) for specific protocols in Exchange Online for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell.; Exclusion: SMTP AUTH is excluded from this deprecation for tenants which are already using it; Any client (user app, script, integration, and so on) using Basic authentication for one of the affected protocols will be unable to connect after that specified date. The app will display an HTTP 401 error: bad username or password. Any app using OAuth 2.0 for these protocols will be unaffected.
Basic authentication in Exchange Online
What is Microsoft's recommendation to mitigate Basic authentication deprecation?: Per Microsoft's recommendation, you are requested to switch from Basic authentication to OAuth 2.0 if your clients or apps are using Basic authentication with any of the affected protocols to connect to Exchange server via Exchange Online.
Note: The Basic authentication deprecation applies to Exchange Online only and not to Exchange on-premises version.
Why this change?: Basic authentication is an outdated industry standard, less secure, and poses high risks to accessing customers' sensitive data. The latest industry standard is OAuth 2.0 which is more secure and less vulnerable to cyber attacks.

What if I am not ready for this change?: If you are not ready to switch to OAuth 2.0 by October 1, 2022, Microsoft has provided a one-time re-enablement option that will allow you to continue to use Basic authentication for specific protocols until end of December 2022. Per the Microsoft announcement, customers will be able to use the self-service diagnostic to re-enable Basic authentication for any protocols they need, once per protocol. After the diagnostic is run, Basic authentication will be re-enabled for the specified protocols and will stay enabled until the end of December 2022.
Note: During the first week of calendar year 2023, the specified protocols will be disabled for Basic authentication use permanently.

Basic Authentication Deprecation in Exchange Online – September 2022 Update

Where is Basic authentication used in Automation 360 product?

In Automation 360, the Basic authentication feature is available in the Connect, Send, Forward, and Reply actions of the Email package and in Email trigger where you configure connection parameters using any of the IMAP, POP3, SMTP, or EWS protocols.

How do I know if I am going to be impacted by Basic authentication deprecation?

Basic authentication deprecation will impact you for the following cases:

If you are automating email using Email package or Email trigger
If you are using Basic authentication to connect to Exchange Online
If you are using the IMAP, POP3, or EWS protocol

When Basic authentication will be disabled by Microsoft starting October 1, 2022, then all the Automation 360 bots for Email automation that meets the previously mentioned criteria will fail because the bot cannot connect to the Email server.

When will the support end?

Basic authentication will be disabled by Microsoft starting October 1, 2022.

How can I identify Automation 360 bots in my repository that are using Basic authentication with Email package or Email trigger?

For Automation 360 bots, you can run the Bot Scanner utility for EOL features.

Running Bot Scanner to scan bots for EOL features

The scanner will scan all the bots that are using Basic authentication with Email package or Email trigger and having IMAP, POP3, or EWS protocols.
The scanner will then generate a CSV output listing all the impacted bots, including the specific line numbers and the specific actions to be performed.

Which feature will be provided in Automation 360 to mitigate the risk of Basic authentication deprecation?

The OAuth 2.0 feature will be available in Automation 360 in the Email package for the Connect, Send, Forward, and Reply actions and Email trigger for IMAP, POP3, and EWS protocols so that you can use this feature to switch from Basic authentication to OAuth 2.0.

What is the schedule and release version for introducing the OAuth 2.0 feature in Automation 360?

The OAuth 2.0 feature will be delivered as a package only release in the week of August 29, 2022. This release will include the following:

Bot Scanner utility
Updated versions of Email package, Email trigger, and trigger listener

Where can I download the Email package?

You can download the Email package from the link in the following article: Everything about Basic Authentication deprecation in Microsoft Exchange online (A-People login required).

Is the OAuth 2.0 feature backward-compatible with any of the previous releases of Automation 360?

No. The OAuth 2.0 feature is not backward-compatible with previous Automation 360 releases. Therefore, you are requested to manually update the package released with Automation 360 v.25.

What are the steps involved to update my impacted bots to switch to OAuth 2.0?

See to the following documentation page for the steps to update your impacted bots and switching from Basic authentication to OAuth 2.0: Deprecation of Basic authentication in Exchange Online.

What are the different grant types or flows supported for OAuth 2.0 in Automation 360?

In Automation 360, there are two primary grant types that are supported for OAuth 2.0 across Email package and Email trigger:

Client credentials: Email package and Email trigger
Authorization code with PKCE: Email package

Within Email package, the individual Connect, Send, Forward, and Reply actions support each of these grant types as listed in the following table:


Action name	Email Server option	EWS option
Email > Connect	Client credentials	Client credentials
	Authorization code with PKCE	Authorization code with PKCE
	—	ROPC or Silent
	—	Implicit or Interactive
Email > Send	—	Client credentials
	Authorization code with PKCE	Authorization code with PKCE
	—	ROPC or Silent
	—	Implicit or Interactive
Email > Forward	Authorization code with PKCE	—
Email > Reply	Authorization code with PKCE	—
Email Trigger	Client credentials	Client credentials

Note:

The existing Silent flow has been renamed as ROPC (Resource Owner Password Credentials) and the existing Interactive flow has been renamed to Implicit.
Both ROPC and Implicit grant flows are legacy flows, less secure, and are not recommended by Microsoft.
The Client credentials flow for SMTP protocol is currently not supported by Microsoft to access Exchange Online.

OAuth grant types
Authentication flow support in MSAL
OAuth 2.0 Client Credentials Flow support for POP and IMAP protocols in Exchange Online

What will happen to my existing bots that use email automation when I update to the Automation 360 v.25 to update the default version of the Email package or Email trigger to the latest version?

When you update to the latest version of the Email package or Email trigger, the existing bots that use email automation will include the following changes:

If your bots are using the Email server option with IMAP or POP3 protocol, the Authentication mode option will be set to Basic by default to indicate that the action uses Basic authentication.
If the Host field in the Email server option uses a variable, the Authentication mode option will be set to Basic.
If your bots are using the EWS server option with the Authentication mode option set to Basic, there is no change in the bots.
Note: This is the default scenario when you update the Email package.
If your bots are using the EWS server option with the Authentication mode option set to OAuth2-Silent, the Authentication mode option will be set to OAuth2 - ROPC to indicate that the action uses the ROPC grant flow.
If your bots are using the EWS server option with the Authentication mode option set to OAuth2-Interactive, the Authentication mode option will be set to OAuth2 - Implicit to indicate that the action uses the implicit grant flow.

Why is the Send Email action marked as Deprecated in my existing bots?

When you update your bots with the latest version of the Email package, you will notice that the Send Email action used in your bots are marked as Deprecated due to the following reasons:

We have created a new version of the Send Email action which provides support for OAuth 2.0 mode of authentication.
The new Send Email action is available in the Email package version 3.14.1-20220831-084727 or later.
The Deprecated message will help you differentiate the old Send Email action from the new Send Email action.

Note: The Send Email action that is marked as Deprecated will continue to work the same way as earlier without any changes. However, if you want to switch from Basic authentication to OAuth 2.0, you must replace the deprecated Send Email action with the new Send Email action and configure the required OAuth 2.0 parameters.

Will Automation Anywhere provide any tool for Automation 360 customers to update their bots from Basic authentication to OAuth 2.0?

No. You will have to manually update your impacted bots to switch to OAuth 2.0.

What is the guidance for Enterprise 11 customers if their bots are impacted by Basic authentication deprecation?

Enterprise 11 customers are recommended to migrate their Email automation bots to Automation 360 and leverage the OAuth 2.0 support. After migration, you can perform the following:

Upload the new version of the Email package or Email trigger to Automation 360.
Edit the impacted bots and set the latest version of Email package or Email trigger as default.
Manually update your bots by switching from Basic authentication to OAuth 2.0.

Note: This guidance is applicable to both Cloud and On-Premises customers who are migrating to Automation 360.

Are there any limitations when you update the Email package?

We recommend that you do not perform a bulk update of bots to change Basic authentication to OAuth 2.0. You must manually edit the bots and update to OAuth 2.0.

Deprecation of Basic authentication in Exchange Online