仅限Azure AD应用程序访问令牌以进行模拟交易
I have been following this resource to create an application on azure that authenticates itself with the azure active directory. We want to use the token from this auth interaction with exchange and the EWS managed API to impersonate everyone in our organization, without them having to login.
我已经在我们的组织上以天蓝色注册了一个应用,并允许其交换.创建证书并设置证书后,我可以通过以下代码使用ADAL获得仅应用访问令牌...
I have registered an app with our organization on azure and gave it permission to exchange. After creating a certificate and setting up our azure application with it, I can get an app-only access token using the ADAL via the following code...
string authority = "https://login.windows.net/{tenant}/oauth2/authorize";
AuthenticationContext authenticationContext = new AuthenticationContext(authority, false);
var certPath = @"C:\path\to\cert\Cert.pfx";
var certfile = System.IO.File.OpenRead(certPath);
var certificateBytes = new byte[certfile.Length];
certfile.Read(certificateBytes, 0, (int)certfile.Length);
var cert = new X509Certificate2(
certificateBytes,
PRIVATE_KEY_PASSWORD,
X509KeyStorageFlags.Exportable |
X509KeyStorageFlags.MachineKeySet |
X509KeyStorageFlags.PersistKeySet);
ClientAssertionCertificate cac = new ClientAssertionCertificate(CLIENT_ID, cert);
var token = await authenticationContext.AcquireTokenAsync("https://outlook.office365.com/", cac);
使用此令牌,与Ews托管API进行交互的代码如下所示.
With this token the code to interact with the Ews managed API looks like this..
ServicePointManager.ServerCertificateValidationCallback = CertificateValidationCallBack;
_ExchangeService = new ExchangeService(ExchangeVersion.Exchange2013_SP1) {
Credentials = new OAuthCredentials(token),
Url = new Uri("https://outlook.office365.com/ews/exchange.asmx"),
ImpersonatedUserId = new ImpersonatedUserId(ConnectingIdType.PrincipalName, "me@email.com"),
};
_ExchangeService.HttpHeaders.Add("X-AnchorMailbox", "me@email.com");
这似乎是通过托管api设置模拟的正确方法,尽管每个请求都会返回401未经授权的错误.
This appears to be the correct way to set up impersonation via the managed api, though every request returns a 401 unauthorized error.
我的问题归结为,我在这里做错什么了吗?还是我需要做一些其他事情来使我的应用程序可以访问交换服务器?
My question boils down to, am I doing something wrong here? Or is there something else that I need to do to give my application access to the exchange server?
The article I was following did mention a client consent flow, but the details around that section aren't clear. Can I not give my app permission for everyone without prompting them for consent initially.
它在我这边工作,请首先确认您已设置使用对所有邮箱具有完全访问权限的Exchange Web服务 Office 365 Exchange Online 到受Azure AD保护的应用程序: 为了进行测试,您可以尝试以下代码:
It is working on my side , please firstly confirm you have set Use Exchange Web Services with full access to all mailboxes application permission for Office 365 Exchange Online to your app which protected by Azure AD : For testing , you could try below code :
ExchangeService exchangeService = new ExchangeService(ExchangeVersion.Exchange2013);
exchangeService.Url = new Uri("https://outlook.office365.com/ews/exchange.asmx");
exchangeService.ImpersonatedUserId = new ImpersonatedUserId(ConnectingIdType.SmtpAddress, "sp.tech@o365e3w15.onmicrosoft.com");
exchangeService.HttpHeaders.Add("X-AnchorMailbox", "sp.tech@o365e3w15.onmicrosoft.com");
exchangeService.TraceEnabled = true;
exchangeService.TraceFlags = TraceFlags.All;
exchangeService.Credentials = new OAuthCredentials(token.AccessToken);
Folder newFolder = new Folder(exchangeService);
newFolder.DisplayName = "TestFolder";
newFolder.Save(WellKnownFolderName.Inbox);
这将在目标帐户的收件箱中创建一个新文件夹.
Which will create a new folder in the target account's Inbox .