I understand that for an app to access Office365 mailboxes I need a registered app with Application Permissions, e.g. Mail.Read which - according to its description - "allows the app to read mail in all mailboxes without signed-in user".
This is exactly what I need except I don't need and I am not allowed to read all mailboxes within the organisation.
In order to restrict this further I can of course set a ApplicationAccessPolicy which allows to restrict the access to a specific mailbox or generally a PolicyScopeGroupId.
My issue is that when this policy is not active, changed or deleted for whatever reason an app has full access to all of organization's mailboxes which sounds very risky in a bigger enterprise.
Isn't there really any other way to handle that vice versa, so that by default no mailbox can be accessed except a set of defined ones?
The other way around can be,There is a separate Mail.Read permission for both Application and Delegated permissions.
The difference between "App-only vs. delegated permissions"
Permission scopes can be either app-only or delegated. App-only scopes (also known as app roles) grant the app the full set of privileges offered by the scope. App-only scopes are typically used by apps that run as a service without a signed-in user being present.
Delegated permission scopes are for apps that act on behalf of a user. These scopes delegate the privileges of the signed-in user, allowing the app to act as the user. The actual privileges granted to the app will be the least privileged combination (the intersection) of the privileges granted by the scope and those possessed by the signed-in user. For example, if the permission scope grants delegated privileges to write all directory objects, but the signed-in user has privileges only to update their own user profile, the app will only be able to write the signed-in user's profile but no other objects.
"Permissions not requiring administrator's consent" are delegated permissions, while "App-only permissions requiring administrator's consent" are the app-only permissions, which is why it shows up twice.
If you want to access the mail for all the user's in your tenant, then you must have a user account that has that level of access or you need to use an App Only token which grants that scope of access.
Related
I have a requirement to list a subset of my AAD users, identify the manager, and disable the user if the manager is already disabled.
My account has the 'User Administrator' and 'Global Reader' AAD roles.
This task is easy to accomplish using the AzureAD PowerShell cmdlets, however I want to transition to the Microsoft Graph cmdlets.
I understand that I need the scope User.Read.All so I execute the following command:
Connect-MgGraph -Scopes "User.Read.All"
When I log in via the web interface, I am shown a dialog stating that I need consent from an admin (which I understand to be a user with an AAD role of Global Administrator or Application Administrator).
In my tenant, under 'Enterprise Applications > User Consent Settings', the option 'Allow user consent for apps' is selected.
This seems like a step backwards to me. My user has the necessary permissions to perform the required actions, but because MS Graph uses an Enterprise App I need an administrator to grant consent.
My questions are:
Will the admin consent dialog appear every time I execute Connect-MgGraph with a given scope, or just the first time?
Is there a way to achieve my requirement without admin consent?
Question 1
Admin consent can be given in 2 contexts
On behalf of a specific user
On behalf of your organization (all users)
From the admin consent dialog box, which context it is corresponds to the checkbox Consent on behalf of your organization
If you do not give consent on behalf of the entire organization, the admin consent dialog will appear for each user, until consent has been granted either for that user, or the entire organization.
Question 2
There are 2 types of permissions
Delegated (aka Scope)
Application (aka Role)
All Application permissions require admin consent, and SOME delegated permissions require admin consent.
This document details which MS Graph permissions require admin consent, from the column Admin Consent Required
Microsoft Graph permissions reference
You can see that the User.Read.All delegated permission is one that does require admin consent
User.Read.All permission reference
There's no way around this without granting admin consent. This provides a way to control access to applications on a more granular level.
I have a multi tenant app registered in Microsoft Active Directory that uses admin consent to gain access to some application scope APIs in the Microsoft Graph API. It uses the /token endpoint to get a token, then calls those Graph APIs. It's working perfectly.
https://learn.microsoft.com/en-us/graph/auth-v2-service#token-request
Now I want to enhance my app to access some delegated (user) scope APIs, that do not allow access at application scope. My app is already configured to request these delegated permissions from the admin at admin consent time. But I'd like to call these APIs as each user in the directory, not the admin who installed my app.
Importantly, it is not feasible for me to have every user in the organization individually go through the OAuth flow for my app.
Is that possible?
Can I impersonate a user somehow by exchanging my application token for a user token?
Can the admin do something programmatically to generate tokens as individual users for my app as if they had been put through an OAuth flow?
No, you cannot convert an Application token to a Delegated token. The only way to act as a specific User is for that User to "delegate" those activities to your application.
Note that Admin Consent only provides consent to your App to operate within a tenant. It is destinct from, not a superset of, User Consent. In order to obtain a Delegated token, you need to receive both User and Admin consent.
Please describe the difference. If user gives access to my app, then Can I use "delegated scenario" to act on behalf of a user and access his/her emails, contacts etc. I am already using MS Graph api to access my users' data but sometimes even after retrieving access token I encounter this message: Resource could not be discovered.
Delegated Scopes are used for scenarios that involve an authenticated user. Unless you're building a daemon/service app or you have a very specific need, it is a safe bet that you should be using Delegated Scopes. Some scopes may still require Admin Consent (i.e. ability to read any users calendar) but the majority only require the User to consent themselves (i.e. ability to read their own calendar).
Application Scopes (aka "App Only") are used for scenarios where there is no user available to authenticate or the application is headless (and therefore no UI in which a user could authentication). These are extremely permissive permissions and always require a Global Administrator to consent to the scopes you've requested. These are also only applicable to Work/School Accounts (AAD) and cannot be used with personal Microsoft Accounts (MSA).
Which scopes are used is a direct result of the OAuth Grant you used to obtain the token.
Authorization Code Grant (authorization_code) == Delegated scopes
Implicit Grant (implicit) == Delegated scopes
Client Credentials Grant (client_credentials) == Application scopes
I'm trying to use the Microsoft Graph API through the OAUTH2 Authentication however I'm struggling to work out how to use Delegated Permissions and not require a user to login.
I'm happy to authenticate the app with myself once, but this will be running on a daemon/service and won't be interacted with via a user. Because of this I can't use the way Microsoft describes Delegated Permissions as that uses /authorize first and then a call can be made to /token.
I know you can use secret keys for /token but it seems that only is using the Application Permissions and not Delegated - which is what I have access to.
Is there a way to authenticate using Delegated Permissions as if I was a user but without a user having to use a sign in page every time?
I needed to do something similar in a daemon app, but application permissions weren't available for the resource to which I needed access (Planner). I was able to accomplish it using the Resource Owner Password Credentials flow and supplying credentials for a service account instead of an actual user.
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
This isn't possible. The term "delegated" is very intentional here in that it means "the user has delegated their permissions to your application so you can operate on behalf of that user". Application permissions are not delegated because there is no user in context to delegate their access rights to you.
Authorization Code = Delegated Permission Scopes
Implicit Grants == Delegated Permission Scopes
Client Credential Grants == Delegated Permission Scopes
Much of the Microsoft Graph functionality works with both Application and Delegated scopes so in many cases you can still execute the same scenarios. There are some caveats such as using the shorthand /me which doesn't exist when there isn't a user authenticated (instead you need to use /users[{id}]). There are however some cases where there isn't an equivalent Application scope and these are regularly looked at in an effort to close the gap.
We are creating a service that requires permission to view other users' (inside the organization) emails. I'm under the impression that two required permissions are Mail.Read and Directory.Read.All. Since I'm not an admin, I got our admin to try it and he still gets 'Access denied'. Is it possible for the admin to give me the necessary directory permissions?
Am I missing something?
(Sorry if I am ambiguous, I am brand new to Graph. Please ask me any question that will help clarify)
Make sure you've enabled the Mail.Read application permission (Read mail in all mailboxes). There is also a Mail.Read delegated permission (Read user mail), which gives you access only to the signed-in user's mailbox.
An admin must grant that permission in Azure Portal for the application. From that point on, the application by itself (with no signed-in user) should be able to access any user's email in the organization.