I am going to develop a module using Exchange Web Service Managed API 2.0.
I would like to know whether we need to have ADMIN level permission to access the EWS web service? Can any account, access the EWS service or it requires ADMIN rights?
I am asking this question because the code I am going to write is going to access the Exchange Server 2007 using EWS.
You need the login to the mailbox (usually primary SMTP and password), and that does not have to be an admin login.
There is also impersonation where you can login 'as another person'. You must then have the login information for the other and you must have impersonation permissions.
Finally, if user X shares his mailbox with Y, Y can login and access the mail from X. What he can do depends on the rights X gave him.
Related
I want to have a windows service that can received unread mail from my O365 account every 3 minutes and have different action depends on Mail subject. I choose EWS managed API instead of Graph is because maybe I would use this program on Exchange Server in the future. I'm following this tutorial Authenticate an EWS application by using OAuth and I have some question about permission control, in this case I use Application permissions which run without a signed-in user present. for example, apps that run as background services or daemons and can access multiple mailboxes.
Now I can access my mailbox with the applicationID, tennatID and Client-secret. But I have to inpersonate someone within my tennat(domain) and than I can send mail by the Mail Account. My question is Is it have any permission control can set that this application only can access or inpersonate part of tennat user rather than all user within my tennat? (in Azure AD Api permission setting I only seen full_access_as_app - Allows the app to have full access via Exchange Web Services to all mailboxes without a signed-in user.) I think its not make sense if this application have permission that can impersonate ALL user of my organization, that would be a big deal if this application client-secret exposes.
Sorry for my poor English.
You can use Application access policies to scope your application so it only has access the mailboxes it needs. see https://learn.microsoft.com/en-gb/graph/auth-limit-mailbox-access.
Can I access Gsuite domain users mailbox using admin credentials of that account.
Currently I am using service account and able to read mailboxes, but can the same thing be done using admin credentials without service account.
Note: I am using Gmail API to read mailbox
You have to use service account in order to access domain wide user's data. Gmail API is scoped to individual users, even if you authorize with the domain super admin you will get access only to his personal data.
Please refer:
https://developers.google.com/admin-sdk/reports/v1/guides/delegation,
https://developers.google.com/gmail/api/guides/migrate-from-email-settings.
I have started to research how to send a mail with Microsoft Graph, but I'm not sure if my scenario is supported.
I need to send a mail at a certain time from a service for a certain user in our company.
I have an application configured in Azure that has the permission for using the Microsoft Graph to send an mail as a user, delegated or not delegated.
I know how to send a mail through the API with a logged-in user.
Is it possible to do this for a user that isn't logged in on the machine at that time or didn't provide an accestoken to my backend server ( bearer token)
Is it possible to do this for a user that isn't logged in on the machine at that time or didn't provide an accestoken to my backend server?
No, you need an access token to access the service on behalf of someone else. There is no way to circumvent that so you can perform actions as a user that hasn't authenticated against the service.
I am a little new to IIS and am not 100% sure that this is possible. I am writing a C# application that needs to get the users network credentials and then connect to TFS using those credentials. I am able to do one or the other, but never both at the same time.
To obtain the users credentials that is accessing the site I have to use NetworkService as the AppPool's Identity with a call to credentials = System.Web.HttpContext.Current.User.Identity.Name. The reason i need to get the users username is to find out which items they have permission to access in TFS later using item.VersionControlServer.GetEffectivePermissions(credentials, item.ServerItem).
To connect to TFS I have to put the users credentials as the AppPool's Identity or give NetworkService access to TFS (not something that is going to happen) with a call to RegisteredTfsConnections.GetConfigurationServer("server");
I either need a way to use the credentials obtained by the application to access TFS, or I need a way to create a new user that has "Network Service like" abilities to get the user's credentials and then give this user access to TFS.
You are essentially hitting something called 'double hop authentication' and you will not be able to proceed without making sure that you have a Kerberos token.
Its quite complicated to configure Kerberos but once you have it up and running your code will just start working. The only other way to achieve this is to actually have the users username and password.
What I didn't know and recently found out is that if you set IIS to run as a user, you can enable Windows Authentication in the IIS > (Select Site) > Authentication settings and use HttpContext.Current.User.Identity.Name to obtain the current logged in user.
When a user runs an on-demand workflow in Microsoft CRM 2011, is it possible to access their credentials?
I am creating a custom workflow activity designed to access a sharepoint server with shared Active Directory accounts. I would like to be able to use the user who runs the on-demand workflow's credentials for Sharepoint authentication. Is it possible to access these credentials in custom code? If so, how (C# if possible)?
Unfortunately it is possible to get the credentials but you won't be able to use them to authenticate to the Sharepoint Server, at least in the online versions.
We had a similar scenario but in the end we had to use a special user to do all the work in sharepoint, we were triggering the code with a plugin and using the REST Endpoint to do the work.
You can access the the User Credentials from the localContext, but you won't be able to retrieve the password.
Is your environment onpremise or online?/