stackoom
  简体   繁体   中英

How to read exchange email with unattended console app

 原文  2023-01-30 21:52:36       c#/ asp.net-core/ azure-active-directory/ console-application/ exchangewebservices

Question

I have been trying to implement a solution for this for days. It's my first experiment with Microsoft Graph. I had our.network admin register the app and went through the quick start code in console-app-quickstart . I looked at active-directory-do.netcore-daemon-v2 andactive-directory-do.net-iwa-v2 .

var App = PublicClientApplicationBuilder
  .Create("xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx")
  .WithTenantId("xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx")
  .Build();

The PublicClientApplication has the AcquireTokenByIntegratedWindowsAuth function. This sounds good because we can launch the console app as whatever user we want to use with a scheduled task. But it errors out with WS-Trust endpoint not found. Where's WS-Trust endpoint defined? The sample also includes the line var accounts = await App.GetAccountsAsync() but that always returns zero accounts. Some responses to searches for this say that we have to use the global tenant admin. The company doesn't like that idea at all. How can that be safe? Do we create a new user as an admin tenant just for that?

The other option is this

var App = ConfidentialClientApplicationBuilder.Create("xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx")
  .WithClientSecret("aeiou~XXXXXXXXXXX")
  .WithAuthority(new Uri("https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"))
  .Build();

The ConfidentialClientApplication doesn't have the integrated windows auth version. I can get connected and get MailFolders and Messages and process those, but it seems to work only when we use App.AcquireTokenForClient(scopes) and API permissions that allow the app to read everyone's email. Security doesn't like that much either. I also looked at impersonation-and-ews-in-exchange . I read in some places that ExchangeWebService is deprecated and use MS Graph instead. Is the MS Graph API permissions in the EWS category mean that it's going to be around?

Can anyone out there show me the right combination of pieces needed to do this? (api permissions, client application type, scopes, authority, etc). It needs to be unattended (launched by scheduled task), needs to have permissions to read only one email box, and save the attachments.

(sorry so long) Thanks, Mike

2 answers

solution1
 0  2023-01-31 07:39:28

The tutorial you shared in the question is an asp.net core console app. Since you want to have a console app and use it to read exchange mails. Therefore, what we can confirm is that: We need to use MS Graph API to read the exchange mails. Graph API required an Azure AD application with correct API permissions to generate Access token to call the API. API permissions have 2 types, Delegated for Web app because it required users to sign in to obtain the token, Application for daemon app like console application which don't require an user-sign-in.

Since you are using the asp.net core console application, you can only using Application API permission. Using Application permission means the console app has the permission to query messages of any email address in your tenant. You can't control the Graph API itself to query some specific users only. But you can write your own business logic to set authorization.

在此处输入图像描述

Then we can make the console application authorized to access the API, we can generate an Access token and use it in the HTTP request header to call the API, we can also use the Graph SDK. Using SDK will help to troubleshoot when met error.

using Microsoft.Graph;
using Azure.Identity;

var scopes = new[] { "https://graph.microsoft.com/.default" };
var tenantId = "tenant_id";
var clientId = "Azure_AD_app_id";
var clientSecret = "Azure_AD_client_secret";
var clientSecretCredential = new ClientSecretCredential(
                tenantId, clientId, clientSecret);
var graphClient = new GraphServiceClient(clientSecretCredential, scopes);
var messages = await graphClient.Users["{email_address/user_account/user_id}"].Messages.Request().Select("sender,subject").GetAsync();

solution2
 0  2023-01-31 22:47:52

WS-Trust endpoint not found

The WS-Trust endpoint is your ADFS endpoint, if you have ADFS 2019 then MSAL does support that using WithAdfsAuthority see https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/active-directory/develop/msal.net-initializing-client-applications.md

There are some other restriction around using WIA that are listed at the top of https://github.com/AzureAD/microsoft-authentication-library-for-do.net/wiki/Integrated-Windows-Authentication-in-MSAL-2.x . If the constraints don't affect you it should work okay.

With the Client Credentials flow which is what your using above you can restrict the scope of the mailboxes it can access see https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access

I would stick with the Graph rather then EWS as the later is being phased out and requires more permissions as its a legacy API.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to retrieve UserName and Password in unattended Azure Function How to read Redis binary values in redis console Authenticate with Exchange to access email inbox with imaplib How do you add a web App to your Google Cloud console? How to enable email and password signin provider for new firebase project using gcloud console or firebase tools CLI? How to make Auto send email without opening the flutter app? Exchange email permission to send to own organisation using amazon SES How to get the count of authentications in firebase console in the flutter app? How to send email/SMS notifications via AWS for Todo App? python3 use google-app-engine receive email, how to configure to specific app, not default app
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM