The purpose of this article is to provide information to Outreach Admins regarding Outreach’s use of OAuth integration with the Microsoft ecosystem (i.e., Microsoft 365 and Exchange Hybrid Modern Auth).
A significant portion of Outreach's value is dependent on syncing email accounts with the Outreach Platform, providing Users with the ability to track and report the effectiveness of prospecting emails.
- Outreach Admins
- Some Outreach views and options require admin-level governance permissions. If the options outlined in this article are unavailable, contact the Org's Outreach Administrator as applicable. For more information regarding governance profile settings, refer to the Governance Profile Settings Overview article.
- Some content in this article references information managed by third parties and is subject to change without notice.
- Outreach supports Basic Auth and OAuth when connecting to Microsoft platforms. The following content is applicable to both M365 and Exchange.
Basic Auth FAQs:
Q: What is Basic Auth?
A: Basic Auth uses User credentials to authenticate the application and is the least secure way to provide access to an app. OAuth provides a secure delegated access using access tokens to ensure the OAuth target application does not store or process User credentials directly.
Q: How will Microsoft’s decision to deprecate Basic Auth impact my workflow/org?
A: No significant impact is expected for Users using the same email as a login; however, disabling Basic Auth can impact Users using alias emails for authentication as Outreach EWS API does not provide a way to associate alias emails with a mailbox.
Q: When will Microsoft’s decision go into effect?
A: Microsoft is not disabling Basic Auth for those Users actively using it; however, Microsoft is disabling Basic Auth for new Users and those not actively using it. For more information regarding the deprecation of Basic Auth, refer to the Microsoft Announcement.
Q: What should I do to prepare for this change?
A: You can begin migrating to Outreach’s OAuth connection. In Outreach mailbox settings basic auth is used in the connectors “Outlook.com”, “Exchange Server” and “Office 365”, while OAuth is used in “Office 365 Oauth2” and “Microsoft Hybrid Modern Auth”. You can choose a relevant scope, and if Outreach works fine with the OAuth connection, we recommend migrating all mailboxes to the OAuth-based connectors.
Note: If aliases are used in your O365 setup, it’s suggested to wait until the Graph API connector is implemented within Outreach.
Q: Does Outreach have a solution in mind to address this change?
A: Outreach has implemented OAuth for EWS API and can be used in place of Basic Auth.
Q: How are the new Graph API scopes different from the old EWS scopes?
A: In EWS API it is not possible to limit auth scopes, which means an application has the same level of access as the User. In Graph API only necessary scopes can be selected. We plan to request the following list of scopes from Graph API once it’s implemented (for mailboxes only, not taking calendars into account):
Q: Which OAuth scopes are used by Outreach, and what are they used for?
- User.Read - Default scope required to sign into the app.
- EWS.AccessAsUser.All - Provides Outreach full access to the individual User’s mailbox. This scope is requested to define more granular scopes not possible in EWS API.
User.Read - Default scope required to sign into the app.
- Offline_access - Provides Outreach access to the User’s calendar when the user is not using Outreach. Outreach creates events in the User’s calendar when a Prospect interacts with the calendar’s availability, such as responding to a meeting invite with a date and time selection.
- Calendars.ReadWrite - Provides Outreach access to read the User’s calendar and create new events.
- MailboxSettings.Read - Provides Outreach the ability to read the User’s Timezone.
Additionally, Administrators can use ApplicationAccessPolicy cmdlets to control mailbox access of an app that has been granted any of the following application permissions:
For more information, refer to Microsoft’s New-ApplicationAccess Policy article.
Q: Once integrated with OAuth, will Outreach have access to User mailboxes other than those of Outreach Users?
A: No. Outreach utilizes delegate authentication and as such can only access the mailboxes of Users who have authorized Outreach to connect to their mailbox. Outreach cannot access the contents of other Users.
EWS.AccessAsUser.All scope Exchange Admin account accessing mailbox with full mailbox access or delegate permissions
EWS.AccessAsUser.All scope Exchange Admin account accessing mailbox with full mailbox access or delegate permissions test successful
EWS.AccessAsUser.All scope Exchange Admin account accessing mailbox without full mailbox access or delegate permissions
EWS.AccessAsUser.All scope Exchange Admin account accessing mailbox without full mailbox access or delegate permissions -test unsuccessful
Q: What access does Outreach have to the organization when a User with Admin privileges in 365/Exchange installs Outreach?
A: Outreach will be able to view all the organization’s Users but will only be able to access mailboxes that have been connected to Outreach.
Note: This scenario was tested with an exchange admin account. Only specific services are allowed using EWS. For example; If you want to allow the Users to use OWA, you need to set:
Set-OrganizationConfig - EwsApplicationAccessPolicy:EnforceAllowList - EwsAllowList:”OWA/*”
Q: Can customers limit Outreach’s EWS access on the Microsoft 365/Exchange end?
A: Yes, customers can limit access based on Exchange rights. For more information regarding access limitations, refer to Microsoft’s Access email as a delegate by using EWS in Exchange article.
Q: What is the difference in the level of access Outreach gets with OAuth via EWS managed API?
A: There is not a difference. OAuth provides a more secure authorization method using tokens. Outreach’s access to the User’s mailbox is the same regardless of the authentication mechanism.
Q: Can Users create a setting on their side to control which Users have access to Outreach?
A: Yes. Users can update an EWS application access policy to add a blocklist.
Note: The EWS blocklist is a multi-value attribute and should be managed using add/remove methods to avoid overwriting existing values when making modifications.
Q: Does Outreach support OAuth with Master Service Accounts?
A: Outreach supports both Basic Auth and OAuth to connect Master Service Accounts.
Q: What is the roadmap and timeframe for changing Outreach’s OAuth scopes?
A: Outreach started development of a new Office 365 connector utilizing GraphAPI instead of EWS API. In Graph API, only permissions necessary to function are available.
Note: Graph API is only available in Office 365. Graph API is not available in Exchange On-Premise. Graph API is available in Exchange Hybrid Modern Auth but only in preview mode. There is not a timeline for when Graph API will go GA.