[EWS][OAUTH]Using EWS with OAuth2 authentication RRS feed

  • Question

  • I recently posted a question about using EWS when the O365 account is redirected to a private logon screen. (I think this is multi-factor authentication.) It was suggested that I use OAuth2 authentication instead of the my normal user/password or impersonation. After a lot of trouble I'm finally at the point where I have obtained an access token (a long string of characters of approximate length 1700 bytes).

    My problem now is I don't really know what to do with it.  The documentation I have ( )says to add an "authorization: bearer ..." http header. I have done this, but I'm still missing where I specify the user that I'm trying to access.  When I use user/password authentication, I am just adding the "user:password" authentication http header (where user is the O365 email account).  I did try this without the password, plus the authorization header, but it didn't work.  Where should I specify the user name, along with the token header, to get EWS working?

    BTW I have seen this article: but this applies to the managed API.  I am using direct http calls (via libcurl).  But at least I know it should be possible.

    Jeffrey McKay

    Saturday, September 23, 2017 11:44 PM

All replies

  • The token contains all the information necessary (eg it has the username and oauth grants you can see this if you post the token your using in one of the online token decoding tools ). To use the token you just set the bearer header in your request and nothing else.


    Sunday, September 24, 2017 11:33 PM
  • Thanks.  I had tried this, didn't think it was working at all.  Taking a closer look, I now see that there is a specific error message returned: "The token contains no permissions, or permissions can not be understood." BUT, I thought there were permissions - below is the decoded JWT.  Isn't the "scp" parameter the permissions that I need?  Is there some other set of permissions that O365 is looking for?

      "aud": "",
      "iss": "",
      "iat": 1506359436,
      "nbf": 1506359436,
      "exp": 1506363336,
      "acr": "1",
      "aio": "ASQA2/8FAAAAVLcy2TdSa+KtpPqfK7VBkfDy/Hu2ZdROOHgjkWrf23k=",
      "amr": [
      "appid": "38f1da80-9f80-4ff6-84a8-27c83d7212d3",
      "appidacr": "0",
      "e_exp": 262800,
      "enfpolids": [],
      "family_name": "Jones",
      "given_name": "Jennifer",
      "ipaddr": "",
      "name": "Jennifer Jones",
      "oid": "812c6f9b-27bf-4f5e-a7ed-900d83b9361c",
      "puid": "10033FFF80BE17D2",
      "scp": "Calendars.ReadWrite Calendars.ReadWrite.All Calendars.ReadWrite.Shared Contacts.ReadWrite Contacts.ReadWrite.All Mail.ReadWrite Mail.ReadWrite.All Mail.ReadWrite.Shared profile Tasks.ReadWrite Tasks.ReadWrite.Shared",
      "sub": "T-N6Krkp9Mf8elqUJL688DqAh9lcieOUXjeon03kqaY",
      "tid": "0bf4f6ef-e093-418c-ab13-039ead63681d",
      "unique_name": "",
      "upn": "",
      "ver": "1.0"

    Jeffrey McKay

    Monday, September 25, 2017 5:23 PM
  • EWS requires the Full Access Grant eg full_access_as_user which I don't see in your token, also the resource URL I would suggest you use is which is what Autodiscover will return for EWS. The EWSEditor has a working implementation for oAuth with EWS you can look at (eg look at the traces in fiddler etc)


    Monday, September 25, 2017 11:48 PM
  • Everything that is in the "scp" parameter (I assume this means "scope") is not specifically assigned by my application.  I assume they all come from the settings found in, where I set up the application Id. Under API Access -> Required Permissions -> Office 365 Exchange Online, under "Delegated Permissions" there is a long  list of things, such as "read and write user and shared mail", and others related to calendar, tasks, etc.  I selected the ones I thought relevant to my application.  Some, such as "manage exchange configuration" I did not select.  I don't see anything about "full access".  Do you have any idea where this would be set?  I did change the resource URL as suggested to no effect.

    Jeffrey McKay

    Tuesday, September 26, 2017 6:39 PM
  • Never mind the above question, I had overlooked "Access Mailboxes as the signed-in user via Exchange Web Services".  That took care of the problem.

    Jeffrey McKay

    Tuesday, September 26, 2017 8:53 PM
  • As a follow up to this question. Is it possible to have impersonated access with OAuth? 

    I started with Azure 2.0 and even Autodiscover wasn't working.

    Than I switched to Azure and Autodiscover worked but I can't get impersonated access to the calendars for example.

    I use certificate to access the app as admin.

    Here's my JWT:

      "aud": "",
      "iss": "",
      "iat": 1535718841,
      "nbf": 1535718841,
      "exp": 1535722741,
      "aio": "42BgYDj68uz0sCwmf+GChAdCz1WqAA==",
      "app_displayname": "Office 365 Multinenant",
      "appid": "b71314d2-ff51-464f-a4f5-b7801400740f",
      "appidacr": "2",
      "e_exp": 262799,
      "idp": "",
      "oid": "a74aed57-f4bb-41c7-9343-30ba21ab658c",
      "roles": [
      "sid": "cf7fe0b6-b4b6-4eb5-bc37-20f83364e30d",
      "sub": "a74aed57-f4bb-41c7-9343-30ba21ab658c",
      "tid": "91d21679-fc13-46d6-8dd3-3de0788af5e7",
      "uti": "fJ7z5TXmck2Aunm8wH7DAA",
      "ver": "1.0"

    Friday, August 31, 2018 12:46 PM
  • EWS requires the full_access_as_user it won't work with any other grants, your better using the Graph API if you need to constrain the access to just those particular grants and overall you can build more secure apps with that API because you don't have to expose as many rights for your application. 

    EWS Impersonation will work okay with oAuth but still requires the full_access_as_user Grant.


    Sunday, September 2, 2018 11:30 PM