I'm currently developing an EWS client application under iOS, so I'm using the Exchange Web Services for communicating with the Exchange 2010 server (plain XML as opposed to the managed API).
I am aware how to access the mailbox and calendar of a delegate and grant or delete delegate access to a mailbox, but before accessing I need to find these mailboxes first. That is, I want to find all mailboxes which my current user has access to (as opposed to all users who have access to the current mailbox, which is well-documented).
This question from 2011 (EWS API Delegate List) indicates that there is no possibility, but without providing any references. I have not found any resources and no hints in the documentation, but Outlook easily identifies these mailboxes. Maybe it is using some internal API, I was unable to find the corresponding requests in its communication with the server.
How can I find these mailboxes? Or is there still no way of achieving this, assuming the answer from 2011 was correct? If so, how does Outlook manage to do this?
There are a few ways in which you maybe granted access to another users Mailbox, one method is via Outlook Delegates which basically modifies the Folder Ace's and also the FreeBusy object in the users Mailbox. The other method if the Admin Grants a somebody full access to a Mailbox using Add-MailboxPermission and then allows AutoMapping http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/mailbox-auto-mapping-exchange-server-2010-part1.html of the Mailbox. This mean Outlook will automatically connect the Mailbox as an additional Mailbox.
So to find Mailboxes that your user will Automap you can use Autodiscover and the Mailbox will be returned in the AdditionalMailboxes eg
<?xml version="1.0" encoding="utf-8" ?>
<soap:Envelope xmlns:a="http://schemas.microsoft.com/exchange/2010/Autodiscove
r" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:xsi="http://www.w3.org
/2001/XMLSchema-instance" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<a:RequestedServerVersion>Exchange2010_SP2</a:RequestedServerVersion>
<wsa:Action>http://schemas.microsoft.com/exchange/2010/Autodiscover/Autodiscover/GetUserSettings</wsa:Action>
<wsa:To>https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc</wsa:To>
</soap:Header>
<soap:Body>
<a:GetUserSettingsRequestMessage xmlns:a="http://schemas.microsoft.com/exchange/2010/Autodiscover">
<a:Request>
<a:Users>
<a:User>
<a:Mailbox>user#domain.com</a:Mailbox>
</a:User>
</a:Users>
<a:RequestedSettings>
<a:Setting>AlternateMailboxes</a:Setting>
</a:RequestedSettings>
</a:Request>
</a:GetUserSettingsRequestMessage>
</soap:Body>
</soap:Envelope>
For Outlook delegates its a little different story if some random user adds you as a delegate (and doesn't send you the summary) or let you know nothing will happen and Outlook won't show or know about this. However if you do know that somebody has delegated you access to their calendar for example and then you open that calendar in Outlook the first time you do this it will add a Wonderbar (Navigational) shortcut https://msdn.microsoft.com/en-us/library/ee202589(v=exchg.80).aspx that Outlook (and OWA) will then use in the future to show this calendar by default. You can make use of these Nav shortcuts in a mailbox by querying them in the CommonViews Folder eg EWS - Access All Shared Calendars . (note if you where using the new REST API in Office365 you can now do this natively in the API)
Related
I have a working VSTO COM based Outlook add-in that intercepts all incoming/outgoing emails on a desktop outlook which is then used to save the details of the email into a SQL database. Below is a brief description of the steps I take using the add-in:
Intercept an incoming/outgoing email and adds a custom GUID as a user property on the email
Calls an end-point to my custom Web API on the cloud and sends an XML with details like the GUID (saved above) and other mail related ids and details
The API end-point saved the details into a SQL database and returns the response back to Outlook so that Outlook doesn't freeze up
A windows service runs in the background and monitors this SQL database for email items and makes a Web API call to Exchange or Office 365 to find the email using the GUID user property and then save it where needed.
I cannot save the email directly via the API call from VSTO add-in since there is some custom time-consuming logic that happens in the API so I cannot keep Outlook frozen for that time.
Is it possible to create something similar using the newer Outlook Web Add-in?
Kind of - you can intercept outgoing messages, but if you do, your addin won't be eligible to be published in the store.
It is still much easier in a VSTO addin. You cannot access Outlook Object Model from a secondary thread, but you can still run your code that does other things. Once you are done, you can access OOM on the main thread by opening message that you need to process by its entry id saved before you started the secondary thread. Note that the inability to access various objects from a secondary thread is OOM specific - Extended MAPI objects can be accessed from secondary threads, but Extended MAPI requires C++ or Delphi. In other languages (including all .Net languages), you can use Redemption (I am its author) and its RDO family of objects - all you need to do is save the value of the Application.Session.MAPIOBJECT property in a dedicated variable, then on a secondary thread create an instance of the RDOSession object and set its MAPIOBJECT property to the variable you saved on the main thread (see http://www.dimastr.com/redemption/faq.htm#Threads for more details).
Is ist possible for a user connected to Exchange Server via a client (Outlook Web App) to tamper with the e-mails in his mailbox (inbox, drafts, sent items ect.)?
Like modifying e-mail content (text, subject...) or properties (date, time, recipient...).
The core of the question is: If there is an e-mail in the user's sent items folder and this user did not have access to the Exchange Server (neither physically nor remotely, except for his standard user access), how sure (or probable) ist it, that this e-mail has really been sent on that date and time with exactly that text to exactly those recipients and that it had not been planted there at a later date?
Does it make a difference if that user only has access to his account via Outlook Web App or if he also has access via MS Outlook?
Outlook Web App is just a client so it won't allow you to modify a sent email or fake/import one as that is not a valid task for that client. You could do this at the API level using something like EWS or MAPI but that would require knowledge that most users won't have (but most likly they would have access to do it though). The Mitigation to this is if you have Litigation hold enabled https://technet.microsoft.com/en-us/library/ee861123%28v=exchg.141%29.aspx on the mailbox then any changes they did make to a message would be tracked and you would always be able to see the original version. Also if you looked at the message with a MAPI editor like MFCMapi or OutlookSpy there would be tell tails of somebody trying to fake a message like the Creation time not matching the sent time etc and other properties would most likly give it away.
One thing i would suggest is look at your Message Tracking log as they will tell you exactly what was sent and who is was sent to and the time https://technet.microsoft.com/en-us/library/bb124375%28v=exchg.160%29.aspx while these also aren't immutable it would take an administrative access to the server to modify.
Our IT has provided me with a service account (ex-sa-devtest#mydomain.de) that has delegate rights to a room's mailbox (EX-Room-A#mydomain.de) and a user's mailbox (user.a#mydomain.de).
In Outlook, running as user.a, I created an event using EX-Room-A as room. Now here is the matrix what happens in Outlook Web Access and by using the EWS API FindItems (resp. GetItem):
using the credentials of user.a, I see the correct event details (Subject and Body) on the mailbox of user.a. When accessing the mailbox of ex-room-a, I get "ErrorFolderNotFound: The specified folder could not be found in the store."
Using the credentials of ex-sa-devtest on mailbox of ex-room-a, I see Subject="User A " (note the space at the end) and Body is empty. On mailbox of user.a, I see correct Subject and Body.
What causes the "rewrite" of the Subject field and the emptying of the Body field when the service account accesses the room mailbox?
The SOAP XML I use is:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ns2="http://schemas.microsoft.com/exchange/services/2006/messages">
<SOAP-ENV:Header><ns1:RequestServerVersion Version="Exchange2013_SP1"/><ns1:TimeZoneContext><ns1:TimeZoneDefinition Id="W. Europe Standard Time"/></ns1:TimeZoneContext></SOAP-ENV:Header>
<SOAP-ENV:Body>
<ns2:FindItem>
<ns2:ItemShape><ns1:BaseShape>AllProperties</ns1:BaseShape></ns2:ItemShape>
<ns2:CalendarView StartDate="2017-12-06T00:00:00+01:00" EndDate="2017-12-06T23:59:59+01:00"/>
<ns2:ParentFolderIds>
<ns1:DistinguishedFolderId Id="calendar"><ns1:Mailbox><ns1:EmailAddress>ex-room-a#mydomain.de</ns1:EmailAddress></ns1:Mailbox></ns1:DistinguishedFolderId>
</ns2:ParentFolderIds>
</ns2:FindItem>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
For security reason this information is removed by the Mailbox assistant as part of the Automatic Processing logic. You can configure this using the Set-CalendarProcessing cmdlet https://technet.microsoft.com/en-us/library/dd335046%28v=exchg.160%29.aspx eg
The DeleteSubject parameter specifies whether to remove or keep the subject of incoming meeting requests. Valid input for this parameter is $true or $false. The default value is $true.
This parameter is used only on resource mailboxes where the AutomateProcessing parameter is set to AutoAccept.
I have a custom application with its own database and a connection to exchange through EWS. Part of this application is a meeting tool which allows users to import exchange meetings and auto invite the other users which also use my application. As part of this tool I need to keep my meetings up to date with exchange, basically maintaining a centralized meeting storage. I can't simply store the user's exchange credentials due to security concerns and I also cannot customize the EWS server in any significant way (ie I cannot add Delegate Access).
The problem is that I am currently simply forcing all users to login to EWS whenever the go to view a meeting's details and it will query EWS to get the details using that user's EWS credentials and access their copy of the meeting. The problem is that there is no guarantee that any user has the same meeting details as any other user. As is partially explained here. Is there any way I can force the EWS FindItem call to only use the meeting's public (master) properties? i.e. Whatever version of the meeting the organizer has sent out/updated. I just need all users to return the same details when they query for the same meeting.
One solution I've considered is adding a 'bot' user whenever a meeting is imported into my application, and then just always using that bot's version of the meeting. However, I would really prefer to do something more 'under the hood' that doesn't require this extraneous user.
Is there any way I can force the EWS FindItem call to only use the meeting's public (master) properties
No FindItem will only every return you information about what is in the Folder your trying to access. You might want to consider using GetUserAvailiblity to check the organiser https://msdn.microsoft.com/en-us/library/aa494212(v=exchg.80).aspx would be the closest. I would say to make your application work correctly is you need an Service account that has been given at least read access to every users calendar, you can then make a call to get the organiser version of the Appointment which will also contain the user responses. If your using Office365 then the new REST Api does facilitate this in a more secure way eg demon apps https://blogs.msdn.microsoft.com/exchangedev/2015/01/21/building-daemon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow/
I have a web application which has a calendar, and I want to allow that calendar to be sync'd with an Exchange server.
I've written code to create appointments on an Exchange server directly in a user's calendar using webDAV. I save the appointment locations (URLs) so I can update the appointments in outlook if something changes in my application.
I'm trying to write an add-in for Outlook that lets a user send their appointment to my web application. In order to save it though (and allow updates in my application to propagate back to Exchange) I need to figure out what the appointment location (URL) is in WebDAV.
Is there any way to get the WebDAV URL of the appointment from within Outlook? I'm using VSTO for my outlook add-in.
Thanks for the help guys!
This question helped considerably:
How to use WebDav to match dav:href to Outolook Interop href value
And this website was interesting too:
http://www.infinitec.de/post/2007/03/Constructing-OWA-2007-item-ids-from-WebDAV-items.aspx