2

I have a console application written in c# which we use to connect to outlook mailbox using exchange service to read the emails from the inbox. Recently, we have migrated to Azure AD with MFA and after that change, my code is throwing 401 Unauthorized error. Can anyone suggest a workaround to authenticate the console to connect and read mail without any user dependency.

Normal WebClient function which uses username and password to connect to outlook. https://outlook.office365.com/EWS/Exchange.asmx is used as the Service object url in code.

Sooraj Nair
  • 21
  • 6

1 Answers1

2

Use ADAL.NET or MSAL.NET and OAuth2 authn to EWS: https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth That will handle whatever MFA you have set up. (I am assuming your application is running with the user present and thus able to authenticate. If this is an un-attended app running with user credentials hard-coded than you will either have to allow that user not to use MFA or change the app to login with a service principal, still using OAuth2 as above).

Marc
  • 953
  • 7
  • 17
  • Thanks for the reply Marc. Yes, the console app does not have user interaction. it runs as a scheduled job. Could you please help me with any article or blog to use app to login with service principal maintaining OAuth2. If you have come across any such material reference, it will save a lot of time for me. Good day !! :) – Sooraj Nair May 03 '19 at 06:05
  • https://learn.microsoft.com/en-us/azure/active-directory/develop/sample-v1-code#daemon-applications-accessing-web-apis-with-the-applications-identity – Marc May 03 '19 at 20:45
  • Note though that some APIs (EWS may be like that) insist on user delegated tokens - they need to know the person who owns the mailbox. Therefore you may be forced to use hard-coded user credentials and have that user exampted from MFA. – Marc May 03 '19 at 20:47
  • Hey Marc.. Thanks for the suggestions. It seems that at Azure Portal we can generate Client ID and App Key for the application and grant full app permissions to access all the entities. My confusion is if that is the case, I can use this same Client ID to access any mailbox in the organisation. Is it something illegal or restricted. Is there any other way to do it ? – Sooraj Nair May 06 '19 at 10:11
  • AAD distinguishes between permissions granted to an application and this granted to a user (delegated). If you grant Application Permissions then yes, the application can do whatever it is permitted to do using just the id and secret. If however you grant only Delegated Permissions, then a user will need to sign in and the resource (EWS here) will use that to determine whether an action is allowed or not. – Marc May 06 '19 at 14:49
  • Yes. but suppose if I am going for Delegated Permissions, a user account with MFA exempted will be able to connect to mailbox without any user interaction on the console. Correct me if I am wrong. I am just confirming whether the gathered information from my side is valid or not. Thanks for guidance and help given to this top so far Marc. – Sooraj Nair May 07 '19 at 09:29
  • Yes, using Delegated Permission with user account with MFA disabled, an app will will be able to get a token as if the user logged in. You will need to use the Resource Owner Password flow or, better if you are running a domain/AAD joined machine get the token using Kerberos or PRT. You will obviously need to signin to the machine at start of the machine or run the process with runas that user. – Marc May 07 '19 at 20:47