question

jabrancorp avatar image
0 Votes"
jabrancorp asked KyleXu-MSFT edited

EWS.AccessAsUser.All Via Graph or Exchange Online

Good Morning, Evening Everyone,

Been reading the latest documentation on authenticating an EWS application using OAuth (https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth) ... which is all good.

But one thing that has thrown me is, in the article it references using

{
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "3b5f3d61-589b-4a3c-a359-5dd4b5ee5bd5",
"type": "Scope"
}
]
}

As the requiredResourceAccess (API Permission) which goes ahead and adds:

78943-image.png


Which again, is all good ... But I also noticed that the EWS.AccessAsUser.All permissions was available for the Microsoft.Graph API also.

78944-image.png

Does it really make a difference which one you use? I've used the same code sample from that article and it works just fine against the Microsoft.Graph API version (I know were requesting scope as part of that sample: var ewsScopes = new string[] { "https://outlook.office365.com/EWS.AccessAsUser.All" }; but it seems to be accepted ok when I granted admin consent against the Microsoft.Graph version of EWS.AccessAsUser.All (Note we dont allow any user consent so did approval via Azure AD portal as part of registration, failed if i didnt do this suggesting it is accepting the Microsoft.Graph API version)

Anyone able to clarify either the difference or concerns of using one over the other? As i had assumed the Office 365 Exchange Online API was due for retiring next year hence having to add via the manifest directly. Where as when searching under the Microsoft.Graph API i can find EWS.AccessAsUser.All anyway.

CC: @JacksonWoods-MSFT, @JamesTran-MSFT

microsoft-graph-sdk
image.png (4.3 KiB)
image.png (4.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RahulMetangale-9479 avatar image
0 Votes"
RahulMetangale-9479 answered jabrancorp commented

Hi @jabran-corp

EWS and Graph have mostly overlapping functionality, there are some differences. If you rely on an EWS API that does not have a Graph counterpart, you can let Microsoft know via UserVoice of features needed for your app scenarios.

Microsoft is recommending migrating to Microsoft Graph to access Exchange Online data and gain access to the latest features and functionality.

You can read more about this here

I hope this helps.

Thanks.
Rahul

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Rahul,

I'm very aware of the overlap in functionality between EWS > Graph (Mail, Calendar) resources etc. But my question was very specific to the EWS.AccessAsUser.All permission under the Office 365 Exchange Online API vs the EWS.AccessAsUser.All permission under the Microsoft Graph API ...

Are they effectivly the same thing just getting access tokens from a different endpoint? or are there fundamental differences between functionality?

Kind Regards,

Jamie

0 Votes 0 ·
michev avatar image
1 Vote"
michev answered

The Graph one is currently a Delegate level permission only, the Exchange one can also be granted at the application level. For automated tasks, you'd generally want the app-level one, but that depends on your usage scenario.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.