Search code examples
c#azureemailoauth-2.0microsoft-graph-api

Simple way to create a email sending service after microsoft disables older smtp connection method

I have a Windows Service which currently sends emails of office 365 users using their email and password via the older smtp method.

Microsoft is turning this ability off very soon.

Currently I use mailkit and c# within a windows service

The only details I have are the users smtp username and password

My app has no user interaction ability as it runs on another box

I have read many ways about how to send email with oauth2 and ms and it seems a lot of people do it differently, and their is no clear path. I have seen such as using ms azure registered applications and different azure library's.

So my question is, what is the easiest route to take regarding a new non user inactive service being able to still send email on behalf of a user.

Most of the users I deal with are not able to setup up azure and it's products as their are small companies with limited it support.

I feel like I have perhaps gone down the wrong path of trying to use azure graph

So what is the correct, most similar to smtp and simple route to recreate a simple email sending windows service using c#

Thank you for your time in reading this

Solution

  • As far as I know Microsoft usually recommends the use of the GraphApi for this stuff.

    The preferred way would be to use delegated permissions, i.e. your application has the permission to send an email in the name of the logged in user. If I understood you correctly that is not an option for you because you want to send the mails from a non-interactive background service.

    That means that you application itself needs the permission to send an email in any users name. Obviously this is a much broader permission and you should think about if you really want to do it this way. Also, if you are in some kind of corporate context, you might also have to involve and get consent from the data protection officer or the like.

    On the technical side such a permission is called an "application permission" thus you need the Mail.Send application permission which requires admin consent i.e. not the individual users of your application decide if they what to give you permission to send mail in their name (this would be delegate permissions) but an AAD admin has to consent for all of them at once.

    See https://learn.microsoft.com/en-us/graph/api/user-sendmail?view=graph-rest-1.0&tabs=http#permissions and https://learn.microsoft.com/en-us/graph/permissions-reference#application-permissions-38