My application is a Daemon application. It can access a particular mailbox in an exchange server of an organization with EWS by using the Basic Authentication. We have to use oAuth2 as Basic Authentication will be terminated on Oct. 20, 2020. Is it possible for a Daemon application to use the oAuth2 token to access just one particular mailbox in a corporate exchange server? Specifically, can the EWS Mail.* permission be limited to one mailbox as the Basic Authentication does?
1 Answers
0
votes
Not exactly. When your daemon app authenticates against EWS, it would call AcquireTokenAsync with either a ClientAssertionCertificate or a ClientCredential (clientID+secret). However these will grant you complete access to the Exchange system, which in a lot of cases, is not a good thing security-wise. A third option is to call AcquireTokenAsync with a UserPasswordCredential object (UPN+password), which allows your app access under a specific user context. It could be the userid for a particular mailbox, but if you want the app to access several mailboxes, it's more useful to use Exchange impersonation or delegation rights, and have this user be more like a service account.
