EWS API authentication using OAuth (401: UnAuthorized) RRS feed

  • Question

  • Hi,

    I am unable to access mailbox of a user, using OAuth.

    I followed this article How to: Authenticate an EWS application by using OAuth

    I am able to generate a token using 'AuthenticationContext.AcquireTokenAsync()', but then getting 401 error 'UnAuthorized.

    Here is my code to generate OAuth token:

    public  async Task<string> AcquireTokenAsyncForApplication(string clientId, string clientSecret, string tenantName)
                var ResourceUrl = "https://outlook.office365.com";
                var AuthString = "https://login.microsoftonline.com/" + tenantName;// 
                if (TokenForApplication == null)
                    AuthenticationContext authenticationContext = new AuthenticationContext(AuthString, false);              
                    ClientCredential clientCred = new ClientCredential(clientId, clientSecret);
                    AuthenticationResult authenticationResult = await authenticationContext.AcquireTokenAsync(ResourceUrl, clientCred);// 
                    TokenForApplication = authenticationResult.AccessToken;
                return TokenForApplication;

    I have registered the app properly, with permission 'Using Exchange Web Services with full access to all mailboxes'

    Note: I am using Azure ADAL Lib 3.17.0, so using AcquireTokenAsync() instead of 'AcquireToken()'. I also, dont want to get a pop up, to enter user credentials, instead have to use ClientID (ApplicationID) + ClientSecret(Key).



    Laeeq Qazi|Team Lead(Exchange + Sharepoint + BES + DynamicsCRM) www.HostingController.com

    Wednesday, October 18, 2017 11:37 AM

All replies

  • First thing i would suggest is you check the token to ensure the correct grants have been issued eg post your token in and https://jwt.io/ and check EWS requires the Full Access Grant eg full_access_as_user 

    The other thing is although you may have that grant it still doesn't give you access to Mailboxes eg the user that was used to generate the token will still need to be granted Full Access via Add-MailboxPermissions (eg if you don't have access to the Mailbox normally use Basic Auth normally then it not going to work with Oauth). The EWSEditor has an Oauth implementation which you can also use to test this all out and capture any differences if necessary.


    Wednesday, October 18, 2017 8:54 PM
  • Hi Glen,

    Thanks for your kind reply.

    I did check the token in jwt.io, which presented this decoding of the token


    I am not sure, how to check thing suggested by you.

    Also, I am trying to access inbox folder of same user, which created the App Registration (AppId+Secret) in azure portal, with correct permission, so permission issue should not be there, as trying to access same mailbox, who setup the App registration.

    I am going to check ewsEditor today too.

    Any other suggestions?

    Thanks and Regards,

    Laeeq Qazi|Team Lead(Exchange + Sharepoint + BES + DynamicsCRM) www.HostingController.com

    Monday, October 23, 2017 2:57 PM
  • Your token appears not to have any grants assinged at all ? are you trying to use an App token with certificate authentication or just plain user authentication ? If its an App Only token have you assigned any application permissions ? these are different from the delegate permissions you assign

    Tuesday, October 24, 2017 9:54 PM
  • Thanks Glen, I would check it today, and update this post.

    Kind Regards,

    Laeeq Qazi|Team Lead(Exchange + Sharepoint + BES + DynamicsCRM) www.HostingController.com

    Thursday, October 26, 2017 4:32 PM
  • Hi Laeeq Qazi, were you able to figure this out? Thanks
    Monday, February 18, 2019 6:31 AM

    Hi Laeeq / @Laeeq Qazi,

    I am facing a similar 401 unauthorized issue as you described, however I the permissions screen I see is a bit different than what is shown in your post.

    I do not see the API option "Office 365 Exchange Online", however I have added all the options listed under "Exchange" and have granted Admin Consent as described in your post, however this does not appear to work.

    Please could you advise

    Saturday, July 27, 2019 7:16 AM