Exchange Web Services and Two Factor Authentication

EWS Two Factor Authentication

We have several products and solutions built on Exchange Web Services (EWS). One of my customers contacted me today to say that their synchronisation was no longer working.

We quickly ascertained that when the service tried to access Exchange using EWS – the credentials which had worked previously now resulted in an ‘Unauthorized’ response from Exchange.

It turned out the customer had recently started testing two factor authentication and it was causing the EWS calls to be blocked. Two factor authentication is always going to be a problem for automated tools which need to log in with no user present to provide the second factor.  

Microsoft have created ‘Application Passwords’ to resolve this problem.

Microsoft say:

“After you’ve turned on two-step verification, some apps (like the mail apps on some phones) or devices (like an Xbox 360 or Windows Phone 8) will show an incorrect password error because they can’t prompt you to enter a security code when you try to sign in. The solution to this problem is to create app passwords to use in place of your regular password, but only for these apps that don’t support two-step verification. App passwords are long, randomly generated passwords that you only have to provide once.”  

See here for more details: https://support.microsoft.com/en-gb/help/12409/microsoft-account-app-passwords-two-step-verification

We created an application password for the account we were using to access EWS. [This is a long auto-generated password which can only be used for one application – but which doesn’t require two factor authentication. Apparently, even if someone does discover it and try to use it for anything else – it won’t work. The user’s original password continues to be used everywhere else with two factor authentication]. Once we started using the application password in the EWS credentials, the EWS connection started working again. And where the account was being used with impersonation rights to access other accounts, these started working as well. 

So if you switch on two factor authentication for your Outlook/Exchange account, and wish to use a tool which utilizes EWS to access Exchange from that account, you will need to create an Application Password.