skip to Main Content

Exoprise recently added support for OAuth (OAuth 2.0 to be exact) credentials to the core Exchange Online testing sensor. This capability has been requested in the past and with this new release, enables end-to-end testing of Exchange Online and the OAuth capabilities of Azure AD with Office 365 from multiple concurrent locations.

As adoption of Office 365 grows, and it becomes more infused with system processes and workflow for an organization, the need for testing OAuth access and Azure AD performance becomes increasingly important. Also, the new OAuth capabilities of the Exchange Online monitoring now mean you don’t have to share real credentials with CloudReady – you can accept the OAuth registration and that’s it. Lastly, along with the OAuth capability, the Exchange Online sensors can now accept an application specific password when an account is configured for MFA (multi-factor authentication).

Exchange OAuth Credentials Token Usage

Exchange OAuth Credentials Token Usage

How OAuth Credentials Work With Exchange Online Accounts

Getting started using OAuth for Exchange Online is simple. Select the Exchange Online sensor as you normally would and you’ll see the additional option of using OAuth credentials like in this screenshot. Select the ‘Use OAuth Credentials’ button and configure.

 

choose OAuth credential

Choose an existing OAuth Credential or Create a New Registration…

Once you’ve selected to use the OAuth credential method you have an opportunity to reuse credentials from an existing previously registered OAuth credential or adding a new credential. To add a new credential, give it a name (a label for keeping track of the registration within CloudReady) and click ‘Add New’.

A popup window will appear where you can sign in and accept the Exoprise Exchange Online registration. This enables Exoprise to test the mailbox uptime, availability, mail flows and mail queue health as that account. Once you accept the OAuth registration within Office 365, you’ll be taken back to the same screen with the newly created registration selected.  Click Next to proceed to validation and deployment just like a regular sensor.

Sign Into Office 365 With Credential
Sign Into Office 365 With Credential

Sign into Office 365 with the account that you would like to use and test

Accept The Required Permissions For Testing Mailbox Access And Uptime

For the Exchange Online OAuth registration, the required permissions are presented

New OAuth Registration Is Selected, Click Next To Proceed

After accepting the OAuth registration, you'll return to the page with the selected credential. Click next to proceed to validation

OAuth Credential Validation

Validation of OAuth credentials before deployment to a site

Sign Into Office 365 With CredentialAccept The Required Permissions For Testing Mailbox Access And UptimeNew OAuth Registration Is Selected, Click Next To ProceedOAuth Credential Validation

Benefits of OAuth Credentials for Exchange Online API Access

Using OAuth credentials instead of real credentials for Exchange Online has a number of benefits over using real credentials. We’ll cover some of the high-level advantages here.

API Security

When it comes to API security, its always better to use token-based security versus passing, managing and maintaining real credentials. While CloudReady takes extra care with respect to password security and end-to-end PKI encryption of credentials (read about here in our Security Overview), using token-based credentials is always more secure.

Not Another Profile to “Manage”

By leveraging OAuth credentials, you no longer have to manage the credentials of the account within CloudReady. You do still have to be aware of the OAuth registration but you have more control within your own system and account.

Limited Scoped Access to User Data

By using OAuth, you, the owner of the account can limit access and scope to just what the OAuth registration is asking for. If you an OAuth registration from Exoprise to access and test a mailbox, it doesn’t have any rights to SharePoint or Skype for Business with the same account. Translating the authentication to the use of a third-party access token provides these benefits.

Control of Access

Not only can the owner of the account control the scope of access to the data but the account owner can also control when they no longer want access to the resource (the mailbox in this case) to be granted. If you de-register the Exoprise OAuth registration from the account, then the sensor will fail and will no longer be able to access the token.

Centralized Credential Management

Now, within CloudReady, you can centrally manage the credentials that are being used across different OAuth sensors. Exoprise will introduce more centrally managed credential management features in future releases with additional support for token-based authentication and protocols.

Multiple Sensors Can Leverage Centralized Management

Within the CloudReady platform, multiple sensors can leverage the same OAuth token, either sensors deployed to public or private sites. This enables testing from different locations while still leveraging a centralized token that only needs to be accepted and managed once.

Disadvantages of Using OAuth Credentials With Exchange Online Testing

There aren’t many disadvantages to using OAuth credentials versus real credentials for Exchange testing and monitoring. We will briefly note a few:

  • There is some additional complexity of configuring OAuth token access and registration during setup. Exoprise has tried to make it as seamless as possible throughout the setup wizards.
  • For Exchange Online testing, OAuth credentials don’t test Autodiscover performance or availability. OAuth credentials only go through Azure AD and do not interact with Exchange Autodiscover. That said, you do get to test the access and availability of Azure Active Directory.
  • Can’t be used for OWA testing, and, currently you can’t use OAuth credentials for Active Sync testing either. OAuth credentials are only capable of being used for API access, not interactive sign-on.

Future Plans

Exoprise has more OAuth testing in the works with additional sensors planned that leverage and take advantage of shared OAuth registration, Graph and other APIs.

Team Exoprise

Team Exoprise represents multiple people in the engineering, sales and marketing department here at Exoprise. It takes a village.

Back To Top