Deprecation of Basic authentication in Exchange Online

Microsoft will permanently disable Basic authentication for specific protocols in Exchange Online starting from October 1, 2022. This impacts customers running bot for email automation that connect to Exchange Online using IMAP, POP3, or EWS protocols with Basic authentication.

Important: We have updated the Email package and Email trigger with newer versions as mentioned below:


Package or trigger	New version	Old version
Email package	Version: 3.14.3-20220923-220748 Filename: bot-command-email-3.14.3.jar	Version: 3.14.1-20220831-084727 Filename: bot-command-email-3.14.1.jar
Email trigger	Version: 2.8.3-20220923-171042 Filename: bot-trigger-email-2.8.3.jar	Version: 2.8.1-20220831-123116 Filename: bot-trigger-email-2.8.1.jar

We recommend that you update your impacted bots with the new versions as they are compatible with the upcoming Automation 360 v.27 release. If you continue to use the old versions and update to Automation 360 v.27 release, you might encounter issues when importing or exporting of bots or when uploading the old versions of the Email package or trigger to Automation 360 v.27. To resolve this issue, see the workaround provided in Everything about Basic Authentication deprecation in Microsoft Exchange online (A-People login required).

We will provide a new version of the Email package with OAuth 2.0 support in an upcoming Automation 360 package-only release by the week of August 29, 2022.

To ensure that your existing bots that are using Basic authentication in Exchange Online are supported after Basic authentication is deprecated, we recommend that you update the bots to use OAuth 2.0. To identify the Automation 360 bots that are using Basic authentication in the Email package or Email trigger, use the Bot Scanner to scan bots. This helps you to plan your efforts to update your existing bots to OAuth 2.0 in Automation 360.

Update Automation 360 bots to use OAuth 2.0

Update scenario for updating bots using Basic authentication to use OAuth

Update to the latest Automation 360 release.
Update Automation 360 to latest version
Back up the Control Room repository.
Integrating Control Room with Git repositories
Identify bots that are using Basic authentication using the Bot Scanner.
Running Bot Scanner to scan bots for EOL features
Download the latest version of the Email package and add it to your Control Room.
Add packages to the Control Room
Update the bots that are using Basic authentication in the Connect, Send, Forward, or Reply actions or Email trigger to use OAuth 2.0.
Update bots using Basic authentication to OAuth 2.0
Verify that the updated bots can be deployed.
Run a bot
Note: You can update your bots to use OAuth 2.0 in one environment (for example, development or DEV) and then move these bots to another environment (for example, UAT and production or PROD) without updating the bots in each environment.

Protocols impacted for Basic authentication deprecation

Microsoft is removing the capability to use basic authentication in Exchange Online for these specific protocols: MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell.

Note: SMTP AUTH is excluded from this deprecation.

Any client (for example, user app, script, or integration) using Basic authentication for one of the affected protocols will not be able to connect to Exchange server starting October 1, 2022. An HTTP 401 error (bad username or password) will be displayed.

Note: Any app using OAuth 2.0 for these same protocols will not be impacted.

For more information, see Basic authentication deprecation in Exchange Online – Updates.

Update bots using Basic authentication to OAuth 2.0

You should update your bots that are using Basic authentication to OAuth 2.0 in the Connect, Forward, Reply, and Send actions of the Email package and Email trigger before Basic authentication is deprecated.

Note: This procedure is applicable to both Automation 360 Cloud and On-Premises customers.

Prerequisites

The Installation Setup folder in the Automation 360 v.25 Basic Authentication MS Online - Deprecation downloads folder contains the following JAR files:
- Email package (bot-command-email-3.14.1.jar)
  Ensure that you download this package and add it to your Control Room in Automation 360.
- Email trigger (bot-trigger-email-2.8.1.jar)
  Ensure that you download this package and add it to your Control Room in Automation 360
- Trigger listener (triggerlistener.jar)
  If you are on Automation 360 v.25 release, ensure that you download and install the trigger listener file. See Install the trigger listener file.
For information on adding packages to the Control Room, see Add packages to the Control Room.

To download these JAR files, see Everything about Basic Authentication deprecation in Microsoft Exchange online (A-People login required).
Ensure that you have run the Bot Scanner utility for the deprecated features to identity the bots that are using Basic authentication in your Control Room repository.
See Running Bot Scanner to scan bots for EOL features.
Ensure that you have registered your application on the Azure portal and performed the following configurations for Client credentials flow:
- IMAP/POP3
  1. Register an application
  2. Authenticate an IMAP, POP or SMTP connection using OAuth
- EWS

Procedure

Log in to your Control Room as Bot Creator.
Select the bot that was identified in the Bot Scanner report for updating.
Check out the bot to edit it.
In the Bot editor, click the vertical ellipsis in the top right-corner and click Packages.
Expand the row for the Email package.
From the drop-down list of package versions, select the Default version.
Note: For Email package, ensure that the package version is 3.14.1-20220831-084727 or later. For Email trigger, ensure that the package version is 2.8.1-20220831-123116 or later.
Click Change Version and Save.
Click Return to editor.
Click the Email action or Email trigger that is using the Basic authentication mode.
Click the Email server or EWS server option.

In the Authentication mode drop-down list, choose the required OAuth 2.0 mode.

Note: For unattended Email automation, use Client credentials or ROPC flows, and for attended Email automation, use Implicit or PKCE flows. Microsoft does not recommend the use of ROPC and Implicit legacy flows. Therefore, we recommend that you either use the Client credentials or PKCE flow.

The following table provides information about the OAuth 2.0 authentication modes that are available for Email action in the Email server and EWS server options:


Email actions	Email server	EWS server
Connect	OAuth2 – Authorization code with PKCE OAuth2 – Client credentials	OAuth2 – ROPC OAuth2 – Implicit OAuth2 – Authorization code with PKCE OAuth2 – Client credentials
Send	OAuth2 – Authorization code with PKCE	OAuth2 – ROPC OAuth2 – Implicit OAuth2 – Authorization code with PKCE OAuth2 – Client credentials
Forward	OAuth2 – Authorization code with PKCE	--
Reply	OAuth2 – Authorization code with PKCE	--

The following table provides information about the OAuth 2.0 authentication modes that are available for Email trigger in the Email server and EWS server options:


Triggers	Email server	EWS server
Email trigger	OAuth2 – Client credentials	OAuth2 – Client credentials

OAuth2 – ROPC: Uses Resource Owner Password flow (Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials)
Note: The existing Silent flow has been renamed to ROPC.
OAuth2 – Implicit: Uses implicit grant flow (Microsoft identity platform and implicit grant flow)
Note: The existing Interactive flow has been renamed to Implicit.
OAuth2 – Authorization code with PKCE: Uses authorization code with PKCE grant flow (Microsoft identity platform and OAuth 2.0 authorization code flow)
OAuth2 – Client credentials: Uses client credentials flow (Microsoft identity platform and the OAuth 2.0 client credentials flow)

Depending on the authentication mode that you selected, you might have to update some of the following fields:
- Username: Enter the username that you want to use to access the mail server.
  For example, john.smith@myCompanyName.com
- Password: Enter the password for the username you provided.
- Email provider: Select the email provider from the drop-down list.
Note: For Client ID, Tenant ID, Redirect URI, and Client secret options, use the information that is provided for your account on your Azure portal.

See Email package and Add an email trigger.
For EWS server, click Test connection to sign in to your account, accept the permissions requested to authenticate, and establish a connection with the server.
Note: In the Microsoft Azure app registrations portal, in Manage > Authentication, ensure that the URI you have added is either https://outlook.office365.com or https://outlook.office365.us for the connection to work properly.
Click Save.

Repeat these steps for all the impacted bots and run the bots to ensure that they can connect to Exchange Online using OAuth 2.0 successfully.

Install the trigger listener file

To use the Email trigger with OAuth 2.0, you have to update the triggerlistener.jar in the Bot Agent.

In the Windows Task Manager, stop the Automation Anywhere Bot Agent service.
Go to the folder where the Bot Agent is installed (C:\Program Files\Automation Anywhere\Bot Agent).
Locate the triggerlistener.jar file and rename the file to triggerlistener.jar_old.
Copy the downloaded triggerlistener.jar.
In the Windows Task Manager, start the Automation Anywhere Bot Agent service.

Deprecation of Basic authentication in Exchange Online

Update Automation 360 bots to use OAuth 2.0

Protocols impacted for Basic authentication deprecation

Update bots using Basic authentication to OAuth 2.0

Install the trigger listener file

Other resources