Enterprise 11 and Basic authentication EOL FAQ

Microsoft will permanently disable basic authentication for specific protocols in Exchange Online starting from October 1, 2022. This impacts customers running bots for email automation that connect to Exchange Online using IMAP, POP3, or EWS protocols with basic authentication.

What is basic authentication deprecation?
Microsoft has announced that starting October 1, 2022 basic authentication will be permanently turned off (disabled) for specific protocols in Exchange Online as mentioned below:
MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell
Exclusion: SMTP AUTH is excluded from this deprecation for tenants which are already using it
Any client (user app, script, integration, and so on) using basic authentication for one of the affected protocols will be unable to connect after that specified date. The app will receive an HTTP 401 error: bad username or password. Any app using OAuth 2.0 for these protocols will be unaffected.
Can the customer extend the basic authentication?

Microsoft has provided a one-time re-enablement option for Basic authentication. After Oct 1st, selected protocols can use Basic authentication until the end of 2022.

See the latest post from MS on the Basic authentication end-of-life upcoming Oct 1st, 2022

Basic Authentication Deprecation in Exchange Online – September 2022 Update

With this update, users still have a 3-month window to prepare for OAuth 2.0 before the Basic authentication is permanently deprecated.

What is Microsoft's recommendation to mitigate basic authentication deprecation?
As per Microsoft's recommendation, you are requested to switch from basic authentication to OAuth 2.0 if your clients or apps are using basic authentication with any of the affected protocols to connect to Exchange server via Exchange Online.
Note: The basic authentication deprecation applies to Exchange Online only and not to Exchange on-premises version.
Why this change?
Basic authentication is an outdated industry standard, less secure, and poses high risks to accessing customers' sensitive data. The latest industry standard is OAuth 2.0 which is more secure and less vulnerable to cyber attacks.
Basic authentication in Exchange Online
Where is basic authentication used in Enterprise 11 product?
In Enterprise 11, the basic authentication feature is available in the Email Automation command and in Email trigger where you configure connection parameters using any of the IMAP, POP3, SMTP, or EWS protocols.
How do I know if I am going to be impacted by basic authentication EOL?

Basic authentication deprecation will impact you if:

  • you are automating email using Email Automation command or Email trigger
  • you are using basic authentication to connect to Exchange Online
  • you are using the IMAP, POP3, or EWS protocol

When basic authentication will be disabled by Microsoft starting October 1, 2022 then all the Enterprise 11 bots for Email automation which meets the above mentioned criteria will fail as the bot cannot connect to the Email server.

When will the support end?
Basic authentication will be disabled by Microsoft starting October 1, 2022.
How can I identify the Enterprise 11 bots in my repository that are using basic authentication with Email Automation command or Email trigger?
For Enterprise 11 bots, you can run the Bot Scanner utility for EOL features. The scanner will generate a CSV output listing all the impacted bots including the specific line numbers and the specific actions to be performed.
Which feature will be provided in Enterprise 11 to mitigate the risk of basic authentication deprecation?
  • OAuth 2.0 Authentication for EWS protocol already exists in Version 11.3.5 client. You can also choose to update the bots with OAuth2.0 Authentication for the EWS protocol instead of Basic Authentication with any protocol.
  • If EWS OAuth2.0 Authentication is not an option, then you can update the version11.3.5.8 patch scheduled to be released on October 1, 2022, and update the bots with the latest credential.
  • Version 11.3.5.8 patch release will support the OAuth 2.0 Authentication for the IMAP, and POP3 protocol.
What are the different grant types or flows supported for OAuth 2.0 in Enterprise 11?
In Enterprise 11, there are two primary grant types that are supported for OAuth 2.0 across Email Automation and Email trigger:
  • Client credentials: Email Automation and Email trigger.
  • Authorization code: Email Automation.
Command Email server (IMAP, POP3) EWS Use-case
Email Automation
  • Client credentials
  • Authorization code with PKCE
  • Client credentials
  • Authorization code with PKCE
  • ROPC (or Silent)
  • Unattended
  • Attended
  • Unattended
Email trigger
  • Client credentials
  • Authorization code with PKCE
  • Client credentials
  • Authorization code with PKCE
  • ROPC (or Silent)
  • Unattended
  • Attended
  • Unattended
Note:
  • ROPC (Resource Owner Password Credentials) refers to the existing Silent flow and the Implicit refers to the existing Interactive flow.
  • Both ROPC and Implicit grant flows are legacy flows, less secure, and are not recommended by Microsoft.
  • The client credentials flow for SMTP protocol is currently not supported by Microsoft to access Email Online.
See:
What will happen to my existing bots that use email automation when I update to the Version 11.3.5.7?
When you update to the latest version of the Email Automation or Email trigger, the existing bots that use email automation will show the following changes:
  • If your bots are using the Email server option with IMAP or POP3 protocol, the Authentication mode option will be set to Basic by default to indicate that the action uses the basic authentication mode.
  • If your bots are using the EWS server option with the Authentication mode option set to Basic, you need not update your bots.
  • If your bots are using the EWS server option with the Authentication mode option set to OAuth2-Silent, the Authentication mode option will be set to OAuth2 - ROPC to indicate that the action uses the ROPC grant flow.
Will Automation Anywhere provide any tool to Enterprise 11 customers to update their bots from basic authentication to OAuth 2.0?
No. You will have to manually update your impacted bots to switch to OAuth 2.0. This requires first-time authentication and approval of the client which needs to be done manually.
What is the impact on Outlook V2 Meta bot DLL after Basic Authentication EOL starting October 1, 2022?

There is no Basic Auth EOL impact on the MetaBot DLL as it uses Outlook to retrieve emails. The MetaBot will continue to work if Outlook is configured and working correctly.

Are shared mailboxes supported for any of the protocols supported by Email Automation?
The existing POP3 and IMAP protocols with Basic Authentication supports shared mailboxes. With Version 11.3.5.7, the shared mailboxes will continue to be supported for POP3 and IMAP protocols with OAuth2.0 authentication.
Note: EWS OAuth2.0 does not support shared mailbox.
What is the plan and guidance from Automation Anywhere for Automation 360 customers who are impacted by the basic authentication deprecation?

Enterprise 11 users are recommended to migrate their email automation bots to Automation 360 and leverage the OAuth 2.0 support. Post the migration they can manually update their bots by switching from Basic Authentication to OAuth 2.0.