locked
Changing EWS authentication in my application to OAuth RRS feed

  • Question

  • Hi,
    I have an API that uses EWS for email, tasks and appointments using basic authentication. The API is used in my Application which has about 80 clients each with their set of sub users who has an exchange/Office 365 accounts. I am changing the authentication to OAuth now and I was wondering what would be the best way. I have gone through the documentation and found out that you can register your application in azure directory, get an Id, get the token corresponding to the ID in the code and then impersonate the mail ID. 

    But I am stuck with so many questions as a result of my application architecture and usage. 

    - As I said, I have 80 clients who are companies. Each with a set of 5-10 user agents that has their own exchane/office 365 accounts through which they communicate and connect via ews. So do all of then need to be registered separately in azure directory? Or can I group them based on the company that they belong in so that each of the 80 clients has their own separate resgistry? That way, I can let them provide the ID in the application and then use that ID to create token. Or is there a way I can create just one directory for my application so that all 80 clients and their users can use it?
    I am really stuck on how this should be carried forward. An advice of any kind would be helpful.

    - Is there any limit for this in terms of number of tokens generated per day for an id or anything of that sorts?

    - I have already checked MS documentation on "Authenticate an EWS application by using OAuth - for application". Are there any other useful articles that any one would recommend?

    Wednesday, September 16, 2020 8:00 AM

All replies

  • >>I have an API that uses EWS for email, tasks and appointments using basic authentication.

    So how are user authenticating in your application currently, eg do you they enter in a username and password in a form etc, or is this a Service type application where you have one service account that then access the mailboxes on the user behalf  eg are you currently using EWS Impersonation ? I

    For application registration which ever method you use you just need one App Registration in your Tenant that is Multi-Tenant. The Customer will then need to Grant Consent to use that Application to be used in their tenant  (The customers could create their own app registration if they wanted to have that level of controls you would then need to allow them however to pass in their own clientId etc when they use your app).

    - Is there any limit for this in terms of number of tokens generated per day for an id or anything of that sorts?

    No 

    Cheers
    Glen

    Thursday, September 17, 2020 12:05 AM
  • Hi Glen,
    Thank you for the response!

    Now, to answer your questions.
    >> So how are user authenticating in your application currently

    We have each logged in user's user id and password and when they connect to the API, each of them connects with their own credentials. We have not used ews impersonation. 

    So are you saying I create one application registration as multi tenant and then use that account to impersonate each of the users login? 

    >>The Customer will then need to Grant Consent to use that Application to be used in their tenant

    So do you mean that we will have to let each of the users consent to use this registered application Id? or the other way around? 

    Thursday, September 17, 2020 4:53 AM
  • Sounds to me like the OnBehalf of flow is what you should be using https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow

    >> So do you mean that we will have to let each of the users consent to use this registered application Id? or the other way around? 

    the EWS permissions require Admin consent so an Admin in the tenant would need to give Tenant wide consent to use your application. It just a one off thing for each tenant. 

    Friday, September 18, 2020 1:38 AM
  • HI Glen,
    Thanks again!

    I tried to set the permissions as admin and did try making a call. I couldnt connect to the mail folder and I got 401 error.

    I still have a doubt on the tenant Id that should be specified. So I have given permission from the admin for multi-Tenant use. Should I still provide the tenant id of the admin profile when I make the requests? and is this tenant id common for all the users in side the domain.?

    Friday, September 18, 2020 2:01 PM
  • The Tenantid should always be the Tenant your authenticating in eg in your case it would be the customer tenant because you generating AccessToken's to be used in their tenant.
    Monday, September 21, 2020 12:31 AM