Exchange server 0Auth authorization for single mailbox from backend service

Question

Background:
I'm upgrading a backend service that currently uses basic authentication to read and delete emails from a single mailbox on an exchange server to authenticate using OAuth2.0. I'm having difficulty finding conclusive documentation about the best authorization flow for this.

Question:
What is the best authorization flow that achieves the following?

1. Authorizes a connection from backend service to an Exchange 2013 server, an Exchange 2016 server, an Exchange 2019 server, or Office365.
2. Authorizes access to a specific mailbox and does not allow acess to other mailboxes within the organization.
3. Allows read/write access.

Answer 1

1. For Exchange Online the Client Credentials flow https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow would be the best option for what you doing. Exchange OnPrem needs to handle differently and would require that the Organization have Hybrid modern Authentication configured to be able to use OAuth
2. For Exchange Online use application access polices that allow you to scope Application permissions to one mailbox https://techcommunity.microsoft.com/t5/exchange-team-blog/application-access-policy-support-in-ews/ba-p/2110361
3. If your using EWS then the only scopes its support allow Full Access, if you need Read access only you need to use the Microsoft Graph