Exchange server 0Auth authorization for single mailbox from backend service

Patrick Turner 1 Reputation point
2021-03-01T18:06:54.947+00:00

Background:
I'm upgrading a backend service that currently uses basic authentication to read and delete emails from a single mailbox on an exchange server to authenticate using OAuth2.0. I'm having difficulty finding conclusive documentation about the best authorization flow for this.

Question:
What is the best authorization flow that achieves the following?

  1. Authorizes a connection from backend service to an Exchange 2013 server, an Exchange 2016 server, an Exchange 2019 server, or Office365.
  2. Authorizes access to a specific mailbox and does not allow acess to other mailboxes within the organization.
  3. Allows read/write access.
Microsoft Graph Mail API
Microsoft Graph Mail API
A Microsoft API that supports accessing data in users' primary mailboxes and in shared mailboxes.
679 questions
Exchange Server Development
Exchange Server Development
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Development: The process of researching, productizing, and refining new or existing technologies.
311 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Glen Scales 3,871 Reputation points Microsoft MVP
    2021-03-01T22:54:18.743+00:00
    1. For Exchange Online the Client Credentials flow https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow would be the best option for what you doing. Exchange OnPrem needs to handle differently and would require that the Organization have Hybrid modern Authentication configured to be able to use OAuth
    2. For Exchange Online use application access polices that allow you to scope Application permissions to one mailbox https://techcommunity.microsoft.com/t5/exchange-team-blog/application-access-policy-support-in-ews/ba-p/2110361
    3. If your using EWS then the only scopes its support allow Full Access, if you need Read access only you need to use the Microsoft Graph
    No comments