Search code examples
c#office365exchangewebservices

EWS using OAUth (app only) for multiple tenants throwing Access is denied /401 unauthorised on EmailMessage.Bind()

I have registered an application for OAuth with Azure and Exchange 365 permission (full-access-as-app).

When I try to access EmailMessage.Bind(service, fixedId, propertySet) from my web app it throws this error .

Microsoft.Exchange.WebServices.Data.ServiceResponseException: Access is denied. Check credentials and try again., The process failed to get the correct properties.

Tried giving explicit permissions as well (calender ,contact ,emailsettings ) with all admin consented .

Albeit I am able to send email and create tasks.

Any thing I am missing ? I would appreciate any help.

Thanks , AK

Update :

I am using following code and application registration ( app-only )following this :https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth

I have 2 tenants A and B ,accounts from tenant A where application is registered are fine but from tenant B it fails with this error : The SMTP address has no mailbox associated with it.

Consent and permissions for both tenants are set as :
Allow user consent for apps

Property sets are created like this :


    var propertySet = new 
    PropertySet(BasePropertySet.FirstClassProperties);
                if (!string.IsNullOrWhiteSpace(propertyName))
                {
                    var extendedPropertyDefinition = new 
    ExtendedPropertyDefinition(DefaultExtendedPropertySet.PublicStrings, 
   propertyName, MapiPropertyType.String);
                    propertySet.Add(extendedPropertyDefinition);
                }
                else
                {
                    propertySet.Add(new ExtendedPropertyDefinition(DefaultExtendedPropertySet.PublicStrings, PersonIdPropertyName, MapiPropertyType.String));
                    propertySet.Add(new ExtendedPropertyDefinition(DefaultExtendedPropertySet.PublicStrings, PersonDataPropertyName, MapiPropertyType.String));
                    propertySet.Add(new ExtendedPropertyDefinition(DefaultExtendedPropertySet.PublicStrings, PersonContextPropertyName, MapiPropertyType.String));
                }
Solution

  • Answering my question .

    Issue 1: "Unauthorized 401 errors" are due to when admin consent is not granted in consumer tenant directory .

    Issue 2: "The SMTP address has no mailbox associated with it" were due to OAuth registered in different tenant (in case of multi tenant )

    If Auth app is served by multiple tenants then you need to take care of two things :

    1: supported account should be : Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) while registering auth app.

    2: Build application builder with ''' var cca = ConfidentialClientApplicationBuilder .Create(appId) .WithAuthority("https://login.microsoftonline.com/{tenant id of consumer}") .WithClientSecret(clientSecret) .Build();

    instead of

    var cca = ConfidentialClientApplicationBuilder .Create(appId) .WithClientSecret(clientSecret) .WithTenantId(tenantId) .Build();

    For Example:

    If auth app is registered in A ,and you want to authenticate office365 accounts in tenant B ,then admin in tenant B should grant admin consent to app using this link https://login.microsoftonline.com/{tennatid of tenant B}/adminconsent?client_id={clientid of auth app} and use authority as "https://login.microsoftonline.com/{tenant id tenant B} while creating application builder.

    '''