Authentication and EWS in Exchange
Find information to help you choose the right authentication standard for your EWS application that targets Exchange.
Last modified: March 09, 2015
Applies to: EWS Managed API | Exchange Online | Exchange Server 2013 | Office 365
In this article
OAuth authentication
NTLM authentication
Basic authentication
Additional resources
Authentication is a key part of your Exchange Web Services (EWS) application. Exchange Online, Exchange Online as part of Office 365, and on-premises versions of Exchange starting with Exchange Server 2013 support standard web authentication protocols to help secure the communication between your application and the Exchange server.
If you’re targeting Exchange Online, the authentication method that you choose must use HTTPS to encrypt the requests and responses that your application sends. Although you can use HTTP with Exchange on-premises servers, we recommend that you use HTTPS for any request that your application sends to an EWS endpoint to help secure communication between your application and an Exchange server.
Exchange provides the following authentication options for you to choose from:
-
OAuth 2.0 (Exchange Online only)
-
NTLM (Exchange on-premises only)
-
Basic (no longer recommended)
The authentication method that you choose depends on the security requirements of your organization, whether you are using Exchange Online or Exchange on-premises, and whether you have access to a third-party provider that can issue OAuth tokens. This article provides information that will help you select the authentication standard that’s right for your application.
We recommend that all new applications use the OAuth standard to connect to Exchange Online services. The advantage in security over basic authentication is worth the additional work required to implement OAuth in your application. For the record, however, there are also some disadvantages that you should be aware of.
|
Advantages |
Disadvantages |
|---|---|
|
|
To help minimize the disadvantages, you can use the Microsoft Azure AD Authentication Library (ADAL) to authenticate users to Active Directory Domain Services (AD DS) in the cloud or on-premises and then obtain access tokens for securing calls to an Exchange server. Exchange Online requires tokens issued by the Azure Active Directory service, which is supported by the ADAL; however, you can use any third-party library.
To learn more about using OAuth authentication in your EWS application, see the following resources:
-
Office 365 trial, to set up an Exchange server to use to test your client application.
-
Configure Azure Active Directory, to enable your application to use OAuth tokens for authentication.
-
Review the sample code in How to: Authenticate an EWS application by using OAuth for example code that you can study.
NTLM authentication is only available for Exchange on-premises servers. For applications that run inside the corporate firewall, integration between NTLM authentication and the .NET Framework provides a built-in means to authenticate your application.
|
Advantages |
Disadvantages |
|---|---|
|
|
Basic authentication provides a, well, basic level of security for your client application. We do recommend that all new applications use either NTLM or the OAuth protocol for authentication; however, basic authentication can be the correct choice for your application in some circumstances.
|
Advantages |
Disadvantages |
|---|---|
|
|
You need to decide if basic authentication meets the security requirements of your organization and customers. Basic authentication can be the right choice if you want to avoid extensive setup tasks, for example for simple test or demonstration applications.