How to build .Net6 web application which has a background job to connect to Microsoft 365 mailbox to extract email content and get the attachment

Question

I'm building a .Net6 web application. It's background job/process need to connect to a specific mailbox (For Example, xxxxSupport@microsoft.com) this mailbox is owned by our organization and it's in Azure Active Directory. My background process is set to monitor the mailbox once a new email is received, then the background process will base on the email's subject and content to decide whether to insert a record to the SQL Server database. And if there are attachments in the email, the background process will save the attachments to a local windows driver. At the beginning of the design, I was planning to use EWS Managed API, and find a way to use OAuth instead of Basic authentication. However, I saw this post (https://devblogs.microsoft.com/microsoft365dev/upcoming-changes-to-exchange-web-services-ews-api-for-office-365/) where it says "While we are no longer actively investing in it, EWS is still available and supported for use in production environments.  However, we strongly suggest migrating to Microsoft Graph to access Exchange Online data and gain access to the latest features and functionality. " So I moved my focus to Microsoft Graph. I took the tutorial (https://learn.microsoft.com/en-us/training/modules/msgraph-dotnet-core-show-user-emails/1-introduction) and the Youtube (https://www.youtube.com/watch?v=acnFrkBL1kE&list=RDCMUCV_6HOhwxYLXAGd-JOqKPoQ). But in my web application, the background job doesn't need to have any user interaction, it won't have any other user to sign in. and it only needs to sign in to that specific mail box xxxxSupport@microsoft.com. So should I use app-only authentication? I then looked at https://learn.microsoft.com/en-us/graph/tutorials/dotnet-app-only?tabs=aad But although the background job will extract emails only from one mailbox, it still need to login as the owner of that mailbox. Correct? Then I should be taking reference to https://learn.microsoft.com/en-us/graph/tutorials/dotnet?tabs=aad. But this gives me example of .Net console app instead of .Net web app. To summarize my questions

1. Should I use app-only authentication or delegated authentication?
2. Any .Net web application example for my case senario? Thanks very much

Answer 1

you are correct to more to the graph api. as you are creating a background service, you want to use app-only authentication, as the background service will not have a request to get the users token from. you will probably use an ad application clientid & secret to request the access token.

when you define the application in azure ad you will will need to add api access. when defining graph api access, you will create a service account.

to limit its access you will need to define a application access policy:

https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access