How to build .Net6 web application which has a background job to connect to Microsoft 365 mailbox to extract email content and get the attachment

Jian, Jiehua 0 Reputation points
2023-04-13T13:58:46.1733333+00:00

I'm building a .Net6 web application. It's background job/process need to connect to a specific mailbox (For Example, xxxxSupport@microsoft.com) this mailbox is owned by our organization and it's in Azure Active Directory. My background process is set to monitor the mailbox once a new email is received, then the background process will base on the email's subject and content to decide whether to insert a record to the SQL Server database. And if there are attachments in the email, the background process will save the attachments to a local windows driver. At the beginning of the design, I was planning to use EWS Managed API, and find a way to use OAuth instead of Basic authentication. However, I saw this post (https://devblogs.microsoft.com/microsoft365dev/upcoming-changes-to-exchange-web-services-ews-api-for-office-365/) where it says "While we are no longer actively investing in it, EWS is still available and supported for use in production environments.  However, we strongly suggest migrating to Microsoft Graph to access Exchange Online data and gain access to the latest features and functionality. " So I moved my focus to Microsoft Graph. I took the tutorial (https://learn.microsoft.com/en-us/training/modules/msgraph-dotnet-core-show-user-emails/1-introduction) and the Youtube (https://www.youtube.com/watch?v=acnFrkBL1kE&list=RDCMUCV_6HOhwxYLXAGd-JOqKPoQ). But in my web application, the background job doesn't need to have any user interaction, it won't have any other user to sign in. and it only needs to sign in to that specific mail box xxxxSupport@microsoft.com. So should I use app-only authentication? I then looked at https://learn.microsoft.com/en-us/graph/tutorials/dotnet-app-only?tabs=aad But although the background job will extract emails only from one mailbox, it still need to login as the owner of that mailbox. Correct? Then I should be taking reference to https://learn.microsoft.com/en-us/graph/tutorials/dotnet?tabs=aad. But this gives me example of .Net console app instead of .Net web app. To summarize my questions

  1. Should I use app-only authentication or delegated authentication?
  2. Any .Net web application example for my case senario? Thanks very much
.NET
.NET
Microsoft Technologies based on the .NET software framework.
3,452 questions
ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,234 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,797 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,386 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,805 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Bruce (SqlWork.com) 57,731 Reputation points
    2023-04-13T15:50:31.5633333+00:00

    you are correct to more to the graph api. as you are creating a background service, you want to use app-only authentication, as the background service will not have a request to get the users token from. you will probably use an ad application clientid & secret to request the access token.

    when you define the application in azure ad you will will need to add api access. when defining graph api access, you will create a service account.

    to limit its access you will need to define a application access policy:

    https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access

    0 comments No comments