makeEwsRequestAsync() and legacy token deprecation compatibility

[xxronis]

Hi, during our NAA migration and moving to Graph from EWS for our addins, we encoutered limitations regarding Contact list expansion using Graph and maybe more. So we probably need to somehow continue using EWS.

I want to cross check that setting an Authorization header with the new msal token will work for makeEwsRequestAsync() when legacy token are deprecated, like:

return new Promise((resolve, reject) => {
   Office.context.mailbox.makeEwsRequestAsync(ewsPayload, (asyncResult: Office.AsyncResult<string>) => {
       ...
    },
    {
        headers: {
          Authorization: `Bearer ${token}`, // MSAL token
        },
      }
    );
});

So, my questions are:

1. Will the request above continue to work with Authorization overridden by that header when legacy token are deprecated, or it will continue to internally use legacy token?
2. If not, should I directly post to EWS with that header in my own request?
3. Is turning the legacy tokens OFF in a tenant enough to test this end-to-end?

Thank you

[JuaneloJuanelo]

@xxronis thanks for reporting this. you mention something really interesting. what limitation did you found on the graph on this topc? what you are describing should be doable with the graph which we strongly recommend you move to.

[davidchesnut]

Hi @xxronis,

I don't know that your approach would work. I think the userContext is just state you can pass so that it gets sent to your callback function.

What's the EWS functionality that is missing in the Microsoft Graph API? We can look into a workaround for you. Do you have a SOAP example?

Thanks,
David

[xxronis]

Hi @JuaneloJuanelo @davidchesnut , thanks for responding.

What I was seeing and need to revalidate and come back with more intel for you guys:

Im getting the group id by its name
https://graph.microsoft.com/v1.0/groups?$filter=displayName eq '${name}'&$select=id,mail
and then look for the members like:

https://graph.microsoft.com/v1.0/groups/${group.id}/members?$select=mail

I was not getting back the members of personal Contact lists, not DLs, not other groups, the contact list is what i was having trouble with.

Permissions granted:

The EWS that solves this after I resolve the id and email of the list and it was always like that is:

    let queryString = dlEmail ? `<t:EmailAddress>${dlEmail}</t:EmailAddress>` : `<t:ItemId Id="${dlId}"/>`

    const ewsExpanDl = `<?xml version="1.0" encoding="utf-8"?>
      <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages"
        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
        xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
        xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types">
        <soap:Header>
          <RequestServerVersion Version="Exchange2013"
            xmlns="http://schemas.microsoft.com/exchange/services/2006/types" soap:mustUnderstand="0" />
        </soap:Header>
        <soap:Body>
          <m:ExpandDL>
            <m:Mailbox>
              ${queryString}
            </m:Mailbox>
          </m:ExpandDL>
        </soap:Body>
      </soap:Envelope>`;

Hm , i now see what you mean about userContext and what Ive done seems totally wrong, maybe I confused my self with Graph headers, but still the issue and the question remains: Is there a way to make makeEwsRequestAsync compatible with new tokens or it will always work with the legacy ones?

Thanks!

[davidchesnut]

Hi @xxronis, okay, yes, the ExpandDL EWS command does not yet have full support in Microsoft Graph. That's a gap the Microsoft Graph team is actively working to address. In the meantime, you can work around it by sending the SOAP request directly (such as fetch) and follow the guidance for using an OAuth token here: Authenticate an EWS application by using OAuth.

Note though that you need to send the SOAP request from a web API server, not the add-in task pane. You'll run into CORS errors calling from the add-in browser or webview.

You might also want to check out a sample we're publishing soon that shows how to secure your web API server with an Entra ID access token, and how to pass user identity to it. In this PR OfficeDev/Office-Add-in-samples#924

Let me know if you get stuck or need help on this approach. It's a little different.

Cheers,
David