Sending Email using MS Graph API - microsoft-graph-api

I have an App. registered as multi-tenant in azure, configured to allow access to users from other tenants including personal accounts etc..
But it fails when I tried to send using an external personal account. However it is working fine on the tenant members.
My question is, is it required for an external user to have an Exchange License to send email using the Graph API via my app?
If I'm sending using the application scope sendMail, does the user I used to send the email from needs to have a valid exhange license?
Thanks!
I need some experienced opinions or links to a helpful articles about my issue.

Yes, the user you are using to send the email using application permission must have a valid Exchange license.
Also, user has to be part of your tenant while using the application permission otherwise it will just throw 404 not found

Yes, user should be licensed. And to be accessed with personal accounts your application should be registered with audience as "Accounts in any organizational directory and personal Microsoft accounts" https://learn.microsoft.com/en-us/graph/auth-register-app-v2

Related

MSGraph read shared mailbox messages through app service

I am writing an api using the msgraph api which should be able to read mail from shared mailboxes. I have setup the application in Azure and have given the following permission (my app is running as its own service and not on behalf of an user)
What I am confused about is
Why does it show Delegated, all the rest of my permissions to the application show Application.
Since this is an application how does an user share a particular mailbox with this application, what I can think of is to create a service account, then this application impersonates that service account and then uses the service account to access the shared mail, but this sounds like a really complicated process and am wondering if I'm heading down the correct path.
thanks in advance.
From the Microsoft graph permissions reference, Mail Permissions Mail.Read.Shared and Mail.Send.Shared require a signed in user which is why the permissions show up as delegated. To the best of my knowledge, there isn't currently a way to access shared mailboxes via Ms graph without a signed in user.
Please let me know if this helps, and if you have further questions.

Grant MS Graph access permissions from one account to others - is it possible?

My organization has an institutional e-mail account in Outlook 365.
There is a small number of users who are responsible for managing that mailbox, reading, answering, forwarding and sending messages from that account.
I am writing a web application (PHP) to automate some messaging operations, so I implemented access to that account using Microsoft Graph. But this requires to login using that account's credentials, and I wouldn't like to share account's password (which I have) with those users.
Is it possible to to grant permission for those users' accounts so MS-Graph will allow them to read/write/send messages from that account, once they have logged in? If so, how would it done?
If this post lacks some relevant information I'm not remembering now, please comment and I'll edit to add it.
Thank you very much.
You could use admin consent for that purpose. Administrator can grant access for the entire tenant, and users will not be prompted for consent afterwards
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#requesting-consent-for-an-entire-tenant

How do I enable any domain to log into my Azure Active Directory app

My current application supports Microsoft and Google oAuth verification sign in. The idea is to give users the option of signing in with their personal accounts for ease of access. This is working fine with google, but AAD will only allow users with emails that end in the App ID URI domain to sign in
eg: App Id URI = someOrg.com/guid and their sign in = someUser#someOrg.com.
Attempting to sign in with a Microsoft account like an outlook or hotmail account redirects to a page saying
"We're unable to complete your request
Microsoft account is experiencing technical problems. Please try again later."
Is there a way to allow AAD to accept any Microsoft account in the login, or can it only accept users in a single domain?
Basics
Yes! Checkout https://aka.ms/aadv2. The v2 endpoint allows both personal Microsoft and Azure AD accounts to be signed in from a single app reg. You'll need to hit this special endpoint (can be done using the MSAL libraries) and setting your app audience in the Azure portal.
Details...
By default and using the following URLs (note the common piece):
https://login.microsoftonline.com/common/v2.0/authorize
https://login.microsoftonline.com/common/v2.0/token
If set to common, your app can sign in any domain and personal Microsoft accounts.
Other options
For the sake of covering everything, here's the other options:
common->organizations: Only allow Azure AD accounts
common->consumers: Only allow personal Microsoft accounts
common->[tenant_id]: Only allow accounts from the specified tenant
MSA as a guest
The edge case you may need to address is a personal Microsoft account added as a guest to an Azure AD tenant. When the user hits common, they'll be signed in as a personal Microsoft account; however, they may intend to sign into their domain. You can build around this by introducing a "enter your email" screen, then passing this as a hint to Microsoft via the common endpoint.

Using Office-365-SDK-for-iOS

I am integrating Office-365-SDK-for-iOS to fetch the user profile and contacts from outlook 365. I configure my application on azure management portal successfully. below are the constants for the app-
#define OutlookClientId #"11d21f9f-6b16-4ea9-8f73-bbc9a65ac72b"
#define OutlookAuthority #"https://login.microsoftonline.com/06cbda59-d75b-4547-8406-e6af3ff4c658/oauth2/token?api-version=1.0"
#define OutlookRedirectUrl #"http://localhost/MyAppName"
#define OutlookRsourceId #"https://graph.microsoft.com/"
When I am giving resourceId is https://outlook.office365.com/.
Then its giving me an error that this is not a valid resource id configured for the app.
I read many url to fined out the problem but I failed.These urls says that "If your app requires permissions to the Office 365 Mail, Calendar, or Contacts APIs, select the Office 365 Exchange Online service." but there is no this service to enable. Below is my add application page screen shot-
There are only 3 application to add.
Please help me out out on this.
Thanks
What type of account are you logging onto the Azure management portal with? Does it have access to Exchange Online? My guess is your Office 365 subscription doesn't include Exchange or SharePoint, so you don't see them there.
It looks like you're trying to use the Unified API though. In that case your resource ID should be https://graph.microsoft.com/.
Ravi,
Please take a look at this article:
https://msdn.microsoft.com/en-us/office/office365/howto/get-started-with-office-365-unified-api
The resource for the unified API is https://graph.microsoft.com not the one that you mention above.
In addition, if you want to query mail, events, files, etc, the tenant you are using for development must have a valid Office365 subscription.
Finally, personal contacts (aka. contacts in Outlook) are not yet supported (coming soon), right now you can access organizational contacts using this request: graph.microsoft.com/beta/myOrganization/contacts

Transparent LiveConnect OAuth 2.0 authentication possible?

I am currently working on an application that allows users to upload/download files. My company wants to have user files stored in their One Drive and not on our server. The only problem with this is that we want to avoid double authentication in order to access their OneDrive account.
For example we have n users associated with an organization. This organization has a single OneDrive account that all of the users will share (legal?). Once a user authenticates to our application, the idea is to have our application sign them in without user interaction by using the Live API so that they may access their organizations files.
Do we have to authenticate every time we wish to use this service or just once?
It's not a big deal for us to do this once for every organization when setting up their account but a requirement is to avoid double authentication. We want the OneDrive storage to be transparent to the user.
Does this violate any of Microsoft's Terms and Conditions?
Thanks! Any input is appreciated as I've never worked on a cloud based application before. If OneDrive isn't a viable solution are there any other recommended services my company could look at?
Consumer OneDrive isn't intended for business use and sharing a single OneDrive account for multiple people isn't recommended either. You should look into OneDrive for business for your scenario: https://onedrive.live.com/about/en-us/business/.
OneDrive for Business uses the SharePoint developer APIs: http://blogs.msdn.com/b/sharepointdev/archive/2013/08/13/access-skydrive-pro-using-the-sharepoint-2013-apis.aspx
I found that the Box API does not support a grant type of passworrd. Neither does OneDrive or DropBox. Without this grant type it is impossible to sent a username and password to log a user in.

Resources