c# - 如何限制 Office 365 应用程序的邮箱访问

Question

我正在尝试找出如何限制应用程序可以访问的邮箱。

我已遵循本指南并使用仅应用程序身份验证:https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth

根据文档，我必须设置“full_access_as_app”权限。 然而，信息文本指出: “允许应用程序在没有登录用户的情况下通过 Exchange Web 服务对所有邮箱拥有完全访问权限。”

我可以读取邮箱，但我想限制我的应用程序可以访问哪个邮箱。 谁能指出我正确的方向？

谢谢。

我的代码:

   static async System.Threading.Tasks.Task Main(string[] args)
    {
        // Using Microsoft.Identity.Client 4.22.0
        var cca = ConfidentialClientApplicationBuilder
            .Create(ConfigurationManager.AppSettings["appId"])
            .WithClientSecret(ConfigurationManager.AppSettings["clientSecret"])
            .WithTenantId(ConfigurationManager.AppSettings["tenantId"])
            .Build();

        var ewsScopes = new string[] { "https://outlook.office365.com/.default" };

        try
        {
            var authResult = await cca.AcquireTokenForClient(ewsScopes)
                .ExecuteAsync();

            // Configure the ExchangeService with the access token
            var ewsClient = new ExchangeService
            {
                Url = new Uri("https://outlook.office365.com/EWS/Exchange.asmx"),
                Credentials = new OAuthCredentials(authResult.AccessToken),
                ImpersonatedUserId = new ImpersonatedUserId(ConnectingIdType.SmtpAddress, "<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="dabfb7bbb3b6bbbebea8bfa9a99abeb5b7bbb3b4f4b9b5b7" rel="noreferrer noopener nofollow">[email protected]</a>")
            };

            var mailbox = new Mailbox("<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="62070f030b0e0306061007111122060d0f030b0c4c010d0f" rel="noreferrer noopener nofollow">[email protected]</a>");
            var folderId = new FolderId(WellKnownFolderName.Inbox, mailbox);

            var inbox = Folder.Bind(ewsClient, folderId);

            if (inbox != null)
            {
                FindItemsResults<Item> items = inbox.FindItems(new ItemView(100));

                foreach (var item in items)
                {
                    Console.WriteLine(item.Subject);
                }
            }
        }
        catch (MsalException ex)
        {
            Console.WriteLine($"Error acquiring access token: {ex}");
        }
        catch (Exception ex)
        {
            Console.WriteLine($"Error: {ex}");
        }

        if (System.Diagnostics.Debugger.IsAttached)
        {
            Console.WriteLine("Hit any key to exit...");
            Console.ReadKey();
        }
    }

Answer 1

您可以关注Scoping application permissions to specific Exchange Online mailboxes .

虽然此文档位于 Microsoft Graph 下，但它也应该适用于 https://outlook.office365.com模块，因为此设置用于应用程序注册和 O365 邮箱。

您需要创建一个应用程序访问策略来设置 -AccessRight RestrictAccess .

然后测试新创建的应用程序访问策略，该策略限制对用户 <a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="8cf9ffe9febdccefe3e2f8e3ffe3a2efe3e1" rel="noreferrer noopener nofollow">[email protected]</a> 的访问.

Test-ApplicationAccessPolicy -Identity <a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="3d484e584f0c7d5e525349524e52135e5250" rel="noreferrer noopener nofollow">[email protected]</a> -AppId e7e4dbfc-046-4074-9b3b-2ae8f144f59b