Testing Exchange OAuth Access and Azure AD

Exoprise recently added support for OAuth (OAuth 2.0 to be exact) credentials to the core Exchange Online testing sensor. This capability has been requested in the past and with this new release, enables end-to-end testing of Exchange Online and the OAuth capabilities of Azure AD with Office 365 from multiple concurrent locations.

As adoption of Office 365 grows, and it becomes more infused with system processes and workflow for an organization, the need for testing OAuth access and Azure AD performance becomes increasingly important. Also, the new OAuth capabilities of the Exchange Online monitoring now mean you don’t have to share real credentials with CloudReady – you can accept the OAuth registration and that’s it. Lastly, along with the OAuth capability, the Exchange Online sensors can now accept an application specific password when an account is configured for MFA (multi-factor authentication).

How OAuth Credentials Work With Exchange Online Accounts

Getting started using OAuth for Exchange Online is simple. Select the Exchange Online sensor as you normally would and you’ll see the additional option of using OAuth credentials like in this screenshot. Select the ‘Use OAuth Credentials’ button and configure.

Once you’ve selected to use the OAuth credential method you have an opportunity to reuse credentials from an existing previously registered OAuth credential or adding a new credential. To add a new credential, give it a name (a label for keeping track of the registration within CloudReady) and click ‘Add New’.

A popup window will appear where you can sign in and accept the Exoprise Exchange Online registration. This enables Exoprise to test the mailbox uptime, availability, mail flows and mail queue health as that account. Once you accept the OAuth registration within Office 365, you’ll be taken back to the same screen with the newly created registration selected.  Click Next to proceed to validation and deployment just like a regular sensor.

Benefits of OAuth Credentials for Exchange Online API Access

Using OAuth credentials instead of real credentials for Exchange Online has a number of benefits over using real credentials. We’ll cover some of the high-level advantages here.

API Security

When it comes to API security, its always better to use token-based security versus passing, managing and maintaining real credentials. While CloudReady takes extra care with respect to password security and end-to-end PKI encryption of credentials (read about here in our Security Overview), using token-based credentials is always more secure.

Not Another Profile to “Manage”

By leveraging OAuth credentials, you no longer have to manage the credentials of the account within CloudReady. You do still have to be aware of the OAuth registration but you have more control within your own system and account.

Limited Scoped Access to User Data

By using OAuth, you, the owner of the account can limit access and scope to just what the OAuth registration is asking for. If you an OAuth registration from Exoprise to access and test a mailbox, it doesn’t have any rights to SharePoint or Skype for Business with the same account. Translating the authentication to the use of a third-party access token provides these benefits.

Control of Access

Not only can the owner of the account control the scope of access to the data but the account owner can also control when they no longer want access to the resource (the mailbox in this case) to be granted. If you de-register the Exoprise OAuth registration from the account, then the sensor will fail and will no longer be able to access the token.

Centralized Credential Management

Now, within CloudReady, you can centrally manage the credentials that are being used across different OAuth sensors. Exoprise will introduce more centrally managed credential management features in future releases with additional support for token-based authentication and protocols.

Multiple Sensors Can Leverage Centralized Management

Within the CloudReady platform, multiple sensors can leverage the same OAuth token, either sensors deployed to public or private sites. This enables testing from different locations while still leveraging a centralized token that only needs to be accepted and managed once.

Disadvantages of Using OAuth Credentials With Exchange Online Testing

There aren’t many disadvantages to using OAuth credentials versus real credentials for Exchange testing and monitoring. We will briefly note a few:

• There is some additional complexity of configuring OAuth token access and registration during setup. Exoprise has tried to make it as seamless as possible throughout the setup wizards.
• For Exchange Online testing, OAuth credentials don’t test Autodiscover performance or availability. OAuth credentials only go through Azure AD and do not interact with Exchange Autodiscover. That said, you do get to test the access and availability of Azure Active Directory.
• Can’t be used for OWA testing, and, currently you can’t use OAuth credentials for Active Sync testing either. OAuth credentials are only capable of being used for API access, not interactive sign-on.

Future Plans

Exoprise has more OAuth testing in the works with additional sensors planned that leverage and take advantage of shared OAuth registration, Graph and other APIs.