Hi,

I posted this question in the Outlook forums, but it was suggested that I re-post here.

I was wondering what the standard / best way is to sync active directory distribution lists with another app?  Ideally I would like a user to be able to enter in the distribution list address (e.g. blueteam@testfirm.com) and then it automatically pulls into me app all the individual addresses for that distribution list.  It would then keep this list updated if any changes occurred.

I would also like the user to be able to add an email address to the distribution list from within my app and then this syncs and updates the distribution list on the exchange.

The three ways I can think of achieving this are:

1) use an Outlook addin (which syncs with my app) to update the distribution list

   Cons: requires Outlook to be open at all times for the syncing to occur

   Pros: doesn't require user to enter / store their password and username details on our app, can be stored locally on their machine

2) user a standalone program (process) that runs on 1+ exchange servers in the organisation and syncs with the app

  Cons: need to build in failover procedures, will need an IT admin setup, doesn't work with exchange online?

  Pros: would be running as long as the server is running, does not rely on users to be logged in / on outlook

3) ask exchange server admins to set up new user will permissions only to edit distribution list, then ask them to enter these details into my app and sync directly with exchange (via activesync / APIs?)

  Cons: requires new user to be set up, requires us to store username and password

  Pros: no software installation, should be running and syncing as long as our app is working

Are there any other better ways that people here would suggest?  Also, which do you think is the most likely accepted / normal solution for enterprise?

Thanks in advance for any help!

Tom

I don't know what your app is and how it works, so I cant tell you what is best, but I would are going to develop something, I would say the best place to interface with is AD.

>>I was wondering what the standard / best way is to sync active directory distribution lists with another app?  Ideally I would like a user to be able to enter in the distribution list address (e.g. blueteam@testfirm.com) and then it automatically pulls into me app all the individual addresses for that distribution list.  It would then keep this list updated if any changes occurred.

You can use EWS to expand a Distribution List https://msdn.microsoft.com/en-us/library/office/dn629392%28v=exchg.150%29.aspx

Why do you need to sync the distribution lists into your application why not just expand it on demand. (doing it on demand eliminates a lot of complexity and security issues) ?

Distribution Lists are just Active Directory groups so you can also just use LDAP via System.DirectoryServices to interact with them directly.

Cheers
Glen  

Hi Glen,

I've been away for a while and so only just coming back to this.  Our app is an online compliance tool using Ruby on Rails.  We need some functionality where the user can type in a distribution list email, and then it pulls the distribution list from exchange.  If someone edits the list in exchange then the changes should be reflected in our app - this can be a refresh event every 15 mins or so.

So we have previously used EWS to connect our app to the exchange and sync that way, however our initial client for this expressed concern that they were giving us read access to be able to see all their distribution lists.  Do you think we will find this a common push back from clients, or is this actually the normal way most apps would sync and therefore it's just about getting them comfortable with it?

We could write a background service that sits on a server somewhere and acts as a sync agent between our app and the exchange, the client would input credentials into the background service config so we would never see these

  - what would be the best way to do this?

Thanks again,

Tom

>> We need some functionality where the user can type in a distribution list email, and then it pulls the distribution list from exchange.

But why a distribution list ? why is this the best method for you ? The reason I ask is that distribution list are designed for distributing email. They aren't a security mechanism in themselves underlying they are Ad groups (although Dynamic DL's are just a query) but if you where going to use them for authentication then you validate them using the Active Directory API's. Active directory (or Azure AD if you in Office365) is Exchange's directory service .

>> So we have previously used EWS to connect our app to the exchange and sync that way, however our initial client for this expressed concern that they were giving us read access to be able to see all their distribution lists.  Do you think we will find this a common push back from clients, or is this actually the normal way most apps would sync and therefore it's just about getting them comfortable with it?

It's hard to answer without the context of knowing what your application is  but let's take as an example of linkedin if they where requesting the same kind of access to Distribution lists then you would get major objections your asking the customer to expose their internal directory to a 3rd party which has a lot of implications. 

>We could write a background service that sits on a server somewhere and acts as a sync agent between our app and the exchange, the client would input credentials into the background service config so we would never see these

Yeah that would be my approach as well you can then constrain the data at the sync agent level eg you can access list x,y,z but not a,b,c etc and the only access your apps has is to query this service rather then having access to Mail System.

Cheers
Glen

Hi Glen,

Thanks for your reply.  The reason we need the DLs is because our customers use these for project teams.  Our app is part of a security tool that allows people to create custom rules for groups or individuals, and some our clients want to be able to type in a distribution list into our app and have the rules apply to everyone in the group.  If someone adds a new person to that group or removes someone, then our app will stay in sync with who should be protected and the client doesn't need to worry about manually adding them also to the app.

We are currently using an Outlook addin as a temporary hack to do this for the client that didn't want the app to have EWS access, but I think moving this functionality to a background windows service that sits on a server somewhere is probably the best way forward?

Thanks,

Tom