Search code examples
exchangewebservicesoffice-addins

Office365: Load email from an external account without the need to refresh


We would like to create an integration with our customer's Office 365 email account (not our account) so we can load emails coming from a certain sender and display them in our site. One solutions is basically to ask the customer for their username and password and then just login using EWS but this is horribly insecure and basic auth is about to be deprecated in EWS.

The other solution is using oAuth2 and OIDC however the access and refresh token will expire and we will constantly have to ask the user to re-sync with an admin account.

Is there a way to sync mail for a user without requiring them to re-sync when their token expires without using basic authentication?

I was thinking there might be a graph api subscription however I didn't see how to do this on external accounts and seems that it also need to be refreshed. The other solution might be an Office 365 plugin but I haven't found any tutorial on how to do this.


Solution

  • You could use the client credentials flow in oAuth https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow so instead of a username and password you would have a client secret or certificate to use for logon. You can then scope the access down to one mailbox https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access so you don't have access to all mailboxes in the tenant.

    If its is a new application then I would suggest you use the Graph instead of EWS as its now really a legacy API and the Graph will be fine for what your trying to do and has the advantage of requiring less permissions (eg you can just give access to email while EWS get access to the whole mailbox) and more supportability in the future.