[英]How to read exchange email with unattended console app
I have been trying to implement a solution for this for days.几天来我一直在尝试为此实施解决方案。 It's my first experiment with Microsoft Graph.
这是我第一次使用 Microsoft Graph 进行实验。 I had our.network admin register the app and went through the quick start code in console-app-quickstart .
我让 our.network 管理员注册了该应用程序,并浏览了console-app-quickstart中的快速启动代码。 I looked at active-directory-do.netcore-daemon-v2 andactive-directory-do.net-iwa-v2 .
我查看了active-directory-do.netcore-daemon-v2和active-directory-do.net-iwa-v2 。
var App = PublicClientApplicationBuilder
.Create("xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx")
.WithTenantId("xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx")
.Build();
The PublicClientApplication
has the AcquireTokenByIntegratedWindowsAuth
function. This sounds good because we can launch the console app as whatever user we want to use with a scheduled task. PublicClientApplication
具有AcquireTokenByIntegratedWindowsAuth
function。这听起来不错,因为我们可以以我们想要用于计划任务的任何用户身份启动控制台应用程序。 But it errors out with WS-Trust endpoint not found.但是它会因找不到 WS-Trust 端点而出错。 Where's WS-Trust endpoint defined?
在哪里定义了 WS-Trust 端点? The sample also includes the line
var accounts = await App.GetAccountsAsync()
but that always returns zero accounts.该示例还包括行
var accounts = await App.GetAccountsAsync()
但始终返回零帐户。 Some responses to searches for this say that we have to use the global tenant admin.对此搜索的一些回复说我们必须使用全局租户管理员。 The company doesn't like that idea at all.
公司根本不喜欢这个主意。 How can that be safe?
那怎么可能安全? Do we create a new user as an admin tenant just for that?
我们是否为此创建一个新用户作为管理员租户?
The other option is this另一个选择是这个
var App = ConfidentialClientApplicationBuilder.Create("xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx")
.WithClientSecret("aeiou~XXXXXXXXXXX")
.WithAuthority(new Uri("https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"))
.Build();
The ConfidentialClientApplication
doesn't have the integrated windows auth version. ConfidentialClientApplication
没有集成的 windows 授权版本。 I can get connected and get MailFolders and Messages and process those, but it seems to work only when we use App.AcquireTokenForClient(scopes)
and API permissions that allow the app to read everyone's email. Security doesn't like that much either.我可以连接并获取 MailFolders 和 Messages 并处理它们,但它似乎只有在我们使用
App.AcquireTokenForClient(scopes)
和 API 权限时才有效,这些权限允许应用程序读取每个人的 email。安全性也不太喜欢。 I also looked at impersonation-and-ews-in-exchange .我还查看了impersonation-and-ews-in-exchange 。 I read in some places that ExchangeWebService is deprecated and use MS Graph instead.
我在某些地方读到 ExchangeWebService 已被弃用,而是使用 MS Graph。 Is the MS Graph API permissions in the EWS category mean that it's going to be around?
EWS类别中的MS Graph API权限是否意味着它会出现?
Can anyone out there show me the right combination of pieces needed to do this?那里的任何人都可以向我展示执行此操作所需的正确组合吗? (api permissions, client application type, scopes, authority, etc).
(api 权限、客户端应用程序类型、范围、权限等)。 It needs to be unattended (launched by scheduled task), needs to have permissions to read only one email box, and save the attachments.
需要无人值守(定时任务启动),需要有只读一个email邮箱的权限,并保存附件。
(sorry so long) Thanks, Mike (对不起这么久)谢谢,迈克
The tutorial you shared in the question is an asp.net core console app.您在问题中分享的教程是一个 asp.net 核心控制台应用程序。 Since you want to have a console app and use it to read exchange mails.
因为您想拥有一个控制台应用程序并使用它来阅读交换邮件。 Therefore, what we can confirm is that: We need to use MS Graph API to read the exchange mails.
因此,我们可以确认的是:我们需要使用MS Graph API来读取交换邮件。 Graph API required an Azure AD application with correct API permissions to generate Access token to call the API. API permissions have 2 types,
Delegated
for Web app because it required users to sign in to obtain the token, Application
for daemon app like console application which don't require an user-sign-in.图 API 需要具有正确 API 权限的 Azure AD 应用程序来生成访问令牌以调用API。API 权限有 2 种类型,
Delegated
给 Web 应用程序,因为它需要用户登录Application
程序控制台应用程序来获取令牌不需要用户登录。
Since you are using the asp.net core console application, you can only using Application
API permission.由于您使用的是 asp.net 核心控制台应用程序,因此您只能使用
Application
API 权限。 Using Application
permission means the console app has the permission to query messages of any email address in your tenant.使用
Application
权限意味着控制台应用程序有权查询您租户中任何 email 地址的消息。 You can't control the Graph API itself to query some specific users only.您无法控制 Graph API 本身仅查询某些特定用户。 But you can write your own business logic to set authorization.
但是你可以自己写业务逻辑来设置权限。
Then we can make the console application authorized to access the API, we can generate an Access token and use it in the HTTP request header to call the API, we can also use the Graph SDK. Using SDK will help to troubleshoot when met error.然后我们可以让控制台应用程序授权访问 API,我们可以生成一个访问令牌并在 HTTP 请求 header 中使用它来调用 API,我们也可以使用 Graph SDK。遇到错误时使用 883835714 将有助于解决问题。
using Microsoft.Graph;
using Azure.Identity;
var scopes = new[] { "https://graph.microsoft.com/.default" };
var tenantId = "tenant_id";
var clientId = "Azure_AD_app_id";
var clientSecret = "Azure_AD_client_secret";
var clientSecretCredential = new ClientSecretCredential(
tenantId, clientId, clientSecret);
var graphClient = new GraphServiceClient(clientSecretCredential, scopes);
var messages = await graphClient.Users["{email_address/user_account/user_id}"].Messages.Request().Select("sender,subject").GetAsync();
WS-Trust endpoint not found
找不到 WS-Trust 端点
The WS-Trust endpoint is your ADFS endpoint, if you have ADFS 2019 then MSAL does support that using WithAdfsAuthority see https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/active-directory/develop/msal.net-initializing-client-applications.md WS-Trust 端点是您的 ADFS 端点,如果您有 ADFS 2019,则 MSAL 支持使用 WithAdfsAuthority 请参阅https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/active-directory/develop/msal .net-initializing-client-applications.md
There are some other restriction around using WIA that are listed at the top of https://github.com/AzureAD/microsoft-authentication-library-for-do.net/wiki/Integrated-Windows-Authentication-in-MSAL-2.x .在https://github.com/AzureAD/microsoft-authentication-library-for-do.net/wiki/Integrated-Windows-Authentication-in-MSAL-2顶部列出了有关使用 WIA 的一些其他限制.x 。 If the constraints don't affect you it should work okay.
如果约束不影响您,它应该可以正常工作。
With the Client Credentials flow which is what your using above you can restrict the scope of the mailboxes it can access see https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access使用上面使用的客户端凭据流,您可以限制它可以访问的邮箱的 scope,请参阅https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access
I would stick with the Graph rather then EWS as the later is being phased out and requires more permissions as its a legacy API.我会坚持使用 Graph 而不是 EWS,因为后者正在逐步淘汰并且需要更多权限作为其遗留 API。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.