Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error
EWS Application impersonation - Unable to retrieve messages using EWS impersonation
Options
Go to last post Go to first unread
Previous Topic Next Topic
trentcioran  
#1 Posted : Thursday, June 25, 2020 6:45:03 AM(UTC)
trentcioran

Rank: Newbie

Groups: Registered
Joined: 11/1/2016(UTC)
Posts: 4
Hi,

I am trying to retrieve emails from O365 using an account granted the role of application impersonation, followed the steps described in this example C#/ASP.NET/ASP MVC - Retrieve Email using Microsoft OAuth 2.0 (Modern Authentication) + EWS Protocol from Office 365 in Background Service, my code is as follows

Quote:

string client_id = "client_id...";
string client_secret = "client_secret...";

string tenant = "my_tenant_id_from_azure_portal...";

string requestData =
$"client_id={client_id}&client_secret={client_secret}&scope=https://outlook.office365.com/.default&grant_type=client_credentials";

string tokenUri = $"https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token";
string responseText = _postString(tokenUri, requestData);

OAuthResponseParser parser = new OAuthResponseParser();
parser.Load(responseText);

MailServer server = new MailServer(
config.ServerName,
config.Username,
parser.AccessToken, // use access token as password
ServerProtocol.ExchangeEWS); // use Http EWS protocol

server.SSLConnection = true;
server.AuthType = ServerAuthType.AuthXOAUTH2;

var client = new MailClient(ConfigurationManager.AppSettings["eagetmail.license"]);
client.Connect(server);


when the code executes the last line it throws an exception

"The remote server returned an error: (401) Unauthorized."

Am I missing something?

Here is the configuration of the azure application.

App Registration

App API Permissions

App Roles

Thanks,
Manuel
Back to top

Wanna join the discussion?! Login to your EmailArchitect Support forum accountor Register a new forum account.
Back to top  
ivan  
#2 Posted : Thursday, June 25, 2020 4:04:04 PM(UTC)
ivan

Rank: Administration

Groups: Administrators
Joined: 11/11/2010(UTC)
Posts: 1,153

Thanks: 9 times
Was thanked: 55 time(s) in 55 post(s)
1, you missed full_access_as_app

Click "API Permission" -> "Add a permission" -> "Exchange" -> "Application permissions" -> Check "full_access_as_app";

2. did you get approval from office365 administrator grant?

https://www.emailarchite...aspx#grant-admin-consent
Back to top
trentcioran  
#3 Posted : Thursday, June 25, 2020 4:26:50 PM(UTC)
trentcioran

Rank: Newbie

Groups: Registered
Joined: 11/1/2016(UTC)
Posts: 4
Originally Posted by: ivan Go to Quoted Post
1, you missed full_access_as_app

Click "API Permission" -> "Add a permission" -> "Exchange" -> "Application permissions" -> Check "full_access_as_app";

2. did you get approval from office365 administrator grant?

https://www.emailarchite...aspx#grant-admin-consent



Hi Ivan, thank you for your help. I previously did 2 without success, after granting full_access_as_app and granting that request it works. Now I have the question: Why do I need to grant full access if the application just needs to read emails from different mailboxes? (that is what the sys admin is going to ask for sure).


Thanks again,
Manuel
Back to top
ivan  
#4 Posted : Thursday, June 25, 2020 4:39:19 PM(UTC)
ivan

Rank: Administration

Groups: Administrators
Joined: 11/11/2010(UTC)
Posts: 1,153

Thanks: 9 times
Was thanked: 55 time(s) in 55 post(s)
because the application uses EWS protocol, there is no other permission except full_access_as_app "introduced in Office365 official document".
Back to top
JamesC  
#5 Posted : Friday, November 27, 2020 2:43:49 AM(UTC)
JamesC

Rank: Newbie

Groups: Registered
Joined: 11/26/2020(UTC)
Posts: 2
United Kingdom
Location: Nottm
Hi there,
I too am experiencing a 401 error with the sample code for retrieving emails but when I go into Admin\App Registrations on my application I do not get the option to assign permissions for Exchange. Has this been changed now by MS so that these permissions are assigned through Graph?
In Graph I have assigned the following (some came through as default)
de6d7815-5289-4d8e-b8ed-0d2568c7b468.png
All options have been Granted by the admin and the status has a green tick.

Many thanks for any advice James

Edited by moderator Saturday, November 28, 2020 1:42:26 AM(UTC)  | Reason: Not specified
Back to top
ivan  
#6 Posted : Saturday, November 28, 2020 1:59:50 AM(UTC)
ivan

Rank: Administration

Groups: Administrators
Joined: 11/11/2010(UTC)
Posts: 1,153

Thanks: 9 times
Was thanked: 55 time(s) in 55 post(s)
It seems that Azure removed the permission from GUI, you should assign the permission manually like this:

Select Manifest in the left-hand navigation under Manage.

Locate the requiredResourceAccess property in the manifest, and add the following inside the square brackets ([]):

JSON

Copy
Code:

{
    "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
    "resourceAccess": [
        {
            "id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",
            "type": "Role"
        }
    ]
}

Select Save.

Select API permissions under Manage. Confirm that the full_access_as_app permission is listed.

Select Grant admin consent for org and accept the consent dialog.

Select Certificates & Secrets in the left-hand navigation under Manage.

Select New client secret, enter a short description and select Add.

Copy the Value of the newly added client secret and save it, you will need it later.
Back to top
JamesC  
#7 Posted : Tuesday, December 1, 2020 7:31:29 AM(UTC)
JamesC

Rank: Newbie

Groups: Registered
Joined: 11/26/2020(UTC)
Posts: 2
United Kingdom
Location: Nottm
Hi Ivan,
thanks a lot!
I can confirm that the above fixed my problems.

Many thanks James
Back to top
ivan  
#8 Posted : Monday, January 11, 2021 2:45:48 AM(UTC)
ivan

Rank: Administration

Groups: Administrators
Joined: 11/11/2010(UTC)
Posts: 1,153

Thanks: 9 times
Was thanked: 55 time(s) in 55 post(s)
I found we don't have to edit the manifest file manually if you're a user in your organization, you can find the permission at

Add permission -> API in APIs my organization uses -> Office 365 Exchange Online -> Application permissions -> Other permissions -> full_access_as_app
Back to top
Users browsing this topic
Guest (2)
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Powered by YAF.NET | YAF.NET © 2003-2024, Yet Another Forum.NET
This page was generated in 0.110 seconds.

EXPLORE TUTORIALS

Send Email

Read and Parse Email

DKIM Solution

© All Rights Reserved, AIFEI Software Limited & AdminSystem Software Limited.