EWS read emails and folders c#: Permission and Consent

0
votes

I'm trying to read emails from inbox using MSAL and EWS So far I'm able to authenticate using MSAL but got stuck at reading emails

If I provide application API Permission for Exchange API as "full_access_as_app", then I am able to read emails in the Inbox folder. However, in order to follow least privilege principle, I do not want to go with full access option. So when I revoke full access and then provide permission and consent only for Mail.Read then I get 401 error:

Type: Microsoft.Exchange.WebServices.Data.ServiceRequestException
Stack trace:
at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.GetEwsHttpWebResponse(IEwsHttpWebRequest request)
at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.ValidateAndEmitRequest(IEwsHttpWebRequest& request)
at Microsoft.Exchange.WebServices.Data.MultiResponseServiceRequest`1.Execute()
at Microsoft.Exchange.WebServices.Data.ExchangeService.InternalCreateItems(IEnumerable`1 items, FolderId parentFolderId, Nullable`1 messageDisposition, Nullable`1 sendInvitationsMode, ServiceErrorHandling errorHandling)
at Microsoft.Exchange.WebServices.Data.Item.InternalCreate(FolderId parentFolderId, Nullable`1 messageDisposition, Nullable`1 sendInvitationsMode)
at Microsoft.Exchange.WebServices.Data.Item.Save(FolderId parentFolderId)
at Microsoft.Exchange.Tools.ExRca.Tests.CreateItemTest.PerformTestReally()
Exception details:
Message: The remote server returned an error: (401) Unauthorized.
Type: System.Net.WebException
Stack trace:
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Exchange.WebServices.Data.EwsHttpWebRequest.Microsoft.Exchange.WebServices.Data.IEwsHttpWebRequest.GetResponse()
at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.GetEwsHttpWebResponse(IEwsHttpWebRequest request)```

I have tried few more permissions, such as below, but they haven't worked too:

Exchange.ManageAsApp
Mail.ReadWrite
MailboxSettings.Read
MailboxSettings.ReadWrite
User.Read.All

[API Permissions][1]

**Which are minimal permissions should be setup in order to read emails for a users mailbox folders?**

Thank you


  [1]: https://i.stack.imgur.com/xFub6.png
1
c#exchangewebservicesmsalhttp-status-code-401

1 Answers

0
votes

Unfortunately because EWS is a legacy API at this point the more constrained permission aren't implemented, so the only two scopes that work are EWS.AccessAsUser.All for Delegate permission and full_access_as_app for app permissions. If you need to use more constrained permission then look at using the Graph API.