13

The IT department is moving away from creating a service account to shared mailbox. All of our department email accounts are being converted to shared mailbox. Until now, I had been using EWS to send email from our web app to recipients using the following code: 

ExchangeService service = new ExchangeService();
service = new ExchangeService(ExchangeVersion.Exchange2013_SP1)
{
     Credentials = new NetworkCredential("dept_email@example.com", "Password1"),
     Url = new Uri("https://outlook.office365.com/EWS/Exchange.asmx")
            };

     email = new EmailMessage(service);
     email.Body = new MessageBody(BodyType.HTML, Message.ToString());
     email.ToRecipients.Add(Recipient.email);
     email.SendAndSaveCopy();
}

How can I use shared mailbox for sending emails instead of having hard coding email address and password? The email address I use is the service account that doesn't fall in the current password security criteria. It is because of this reason, they're changing department emails to shared mailbox.

I'm using Windows Authentication that authenticates users from Active Directory.

Kuni
  • 817
  • 1
  • 9
  • 24
  • I recall you have to set the `email.FromAddress`, there's something else as well, I think it's that the users have permission/are part of the shared mailbox group – Jeremy Thompson Jun 19 '17 at 23:05
  • Instead of hard coding Credentials, use `CredentialCache.DefaultCredentials;` which will use Windows Integrated security like you want – Jeremy Thompson Jun 19 '17 at 23:08
  • Without a service account the website will have to run using a shared mailbox user (that's not good security wise). – Jeremy Thompson Jun 19 '17 at 23:18

1 Answers1

15

If you want to keep using EWS you will still probably need a Service account for using Shared Mailboxes (unless your app can impersonate a user that has SendAS rights on the Shared Mailbox), eg your grant the Service Account SendAs rights for the Shared Mailboxes you want to send as and then Set the From Address and Sent Items Folder to that of the Shared Mailbox (that's if you want a copy of the message saved in the Shared Mailboxes Sent Items Folder). eg

email.From = new EmailAddress("smtpaddress@domain.com"); 
Mailbox SharedMailbox = new Mailbox("smtpaddress@domain.com");
FolderId SharedMailboxSendItems = new FolderId(WellKnownFolderName.SentItems, SharedMailbox);
email.SendAndSaveCopy(SharedMailboxSendItems);

A better approach which would allow you to get rid of the service account would be to use the new REST API https://msdn.microsoft.com/en-us/office/office365/api/mail-rest-operations then create an App that just has rights to Send Email and take advantage of certificate authentication https://msdn.microsoft.com/en-us/office/office365/howto/building-service-apps-in-office-365. That should allow you to get rid of any licences requirements for the Service Account and also gives a much more secure application as you no longer have hardcoded creds and your app just has access for what it needs to to do and nothing else.

Martin Liversage
  • 104,481
  • 22
  • 209
  • 256
Glen Scales
  • 20,495
  • 1
  • 20
  • 23
  • I had no idea I could do that. I never liked the way I had done, but had to do it nonetheless. I never went back and looked for other ways until the recent changes. This might be just what I need for our future development. I'll check it out and see if REST Api will work for us. – Kuni Jun 20 '17 at 14:25
  • Is it possible to do REST api for the shared mailbox for Office 365? – Kuni Jun 20 '17 at 22:48
  • Yes eg if you give your application has the (Application) Send permissions it can then send as any mailbox – Glen Scales Jun 20 '17 at 23:06
  • It's bit confusing, the article focuses on Azure AD but our company doesn't use Azure AD that I know of. We have our own AD to which I have limited access. Also, I can't open mailbox for the `shared mailbox` so how do I use REST API? Pretty much everyone who uses this in-built app has access to this shared mailbox. – Kuni Jun 20 '17 at 23:13
  • 1
    If your using Office 365 then you have Azure AD(eg you are probably using dirsync to sync the local AD into the cloud). https://support.office.com/en-us/article/Understanding-Office-365-identity-and-Azure-Active-Directory-06a189e7-5ec6-4af2-94bf-a22ea225a7a9?ui=en-US&rs=en-US&ad=US . You may want to just try the sandbox environment https://oauthplay.azurewebsites.net/ to get used to using the REST api. With the REST api you have two access methods, either you give the App mailbox access and do certain tasks, or you have the delegated user access model which is back to using service accounts. – Glen Scales Jun 21 '17 at 00:43
  • what if I'm using Oauth2 authentication in EWS? is there sample c# code for that? – aj go Feb 26 '22 at 01:56