I have a background application ( azure function ) which needs to send email from our service account to set of the users under same tenant . I am planning to use the GRAPH api to send the email and I can achieve it using below steps
a. Register an app in azure directory
b. Assign the application permission to send email as any user
c. Get the admin consent for that permission
d. write c# code to get the token and call graph api to send email
I do not see issue with the above approach except the fact that we will be getting the consent to send email as any user , which is quiet dangerous , this will enable me to send email as CEO or CFO of our company
could you please help or guide me if there is any way to send email on behalf of other user using graph api for demon applications ?
Regards,
Kumar
You can scope the Service principal permission just to the mailboxes you need to send as https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access. The other way is to have a service account and the grant it delegate access to mailboxes you want to send as but this is generally less secure and harder to maintain (eg you have username and password).
Related
I have an App. registered as multi-tenant in azure, configured to allow access to users from other tenants including personal accounts etc..
But it fails when I tried to send using an external personal account. However it is working fine on the tenant members.
My question is, is it required for an external user to have an Exchange License to send email using the Graph API via my app?
If I'm sending using the application scope sendMail, does the user I used to send the email from needs to have a valid exhange license?
Thanks!
I need some experienced opinions or links to a helpful articles about my issue.
Yes, the user you are using to send the email using application permission must have a valid Exchange license.
Also, user has to be part of your tenant while using the application permission otherwise it will just throw 404 not found
Yes, user should be licensed. And to be accessed with personal accounts your application should be registered with audience as "Accounts in any organizational directory and personal Microsoft accounts" https://learn.microsoft.com/en-us/graph/auth-register-app-v2
As of now, I have created an application that has certain permissions to access Mail Information of certain users in an organization. Till this point, admin from the organization would create the service and provide the credentials.
However, as a plan to scale the application to multiple organizations, I'd like to send a mail to admin to grant access for the permissions and automatically get the credentials.
I'm open to alternative ideas. Any ideas if the above is even feasible?
This is quite impossible to automate the complete process creating, and admin still need to approve the permission in Azure AD. What you can do here is ,just create the application and if user tries to access the app but they can't give consent ,they need to trigger a request for admin approval that can be sent by an email .
To allows admin consent request to be sent via email Configure the admin consent workflow , please follow the docs - Azure AD | Microsoft Docs
Hope that process will help you .
I'm working on an app that is used by about 50 project managers to make quotations. When a quotation is ready, it is to be emailed to the intended customer from one of two accounts, lets call these Left and Right, depending on the postal code of the customer. We would like to use Microsoft Graph API to facilitate sending these emails. I'm confused as to whether I should get access to Graph 'on behalf of a user' or 'without a user'. The quotation is not sent from the account of the project manager that is logged into the app. It is sent from either the Left or the Right account. Thanks for any guidance!
On behalf of a user:
https://learn.microsoft.com/en-us/graph/auth-v2-user
Without a user:
https://learn.microsoft.com/en-us/graph/auth-v2-service
I think the choice depends on the way you set up your application.
The 'without a user' flow refers to a process in which there is no user that signs in. That means you need to obtain a token in that process to send an e-mail using the Graph API. If your admin has given consent to your application's permissions for sending e-mails, it is possible to send an e-mail as a given user. Rather than the user consenting on behalf of their inbox like the 'On behalf' flow, the admin can consent on behalf of all user's inboxes in a given tenant. You will need an auth token on behalf of your application and the id of the given user. Though this would personally not have my preference as technically e-mail can be sent from any e-mail address within the tenant.
You could use the 'On behalf' flow if the project managers do have access to the left or right account (like a shared inbox) and if the e-mail sending is invoked from the application itself. If it is not sent from that context, you would need to use the first option.
I have an web application with existing users and user ids (i.e. not Slack user ids). I'd like to allow my users to install my new Slack app.
How do I know which of my users connects to Slack using OAuth and installs my app? I know you can request email but what if the Slack email is different from the email address used to originally sign up to my application.
It's crucial that I know which Slack users are linked to my existing users. Is there a way to send my existing users' user_id through the OAuth process so I know how to link a Slack user to one of my users?
Potential Solutions?
User's cookie will allow me to identify them upon the Slack OAuth
redirect.
Use the state variable as a way to identify a user on my
site
I would not use the state property to transfer user information. It's theoretical possible, but would defy the purpose of the state property as security measure.
Instead you just need to keep the user context on your website during the Oauth process (e.g. by storing the user ID in a server session), so you can store the connection between your custom user ID and the Slack user ID later.
Here is the full process:
You users will first need to log-in to your website to identify
themselves.
Your website will then have the user ID of the user and need to keep
this context, e.g. in a server session.
Next your user has the option to install your Slack app. After the
installation is finished the Oauth process will automatically
redirect your user back to your website.
You can then get the current user ID by calling auth.test
with the access token you just received.
Finally have both the custom user ID and the Slack user ID an can store
this connection, e.g. in your database for future reference.
Alternatively you can add this information to the Slack user as
custom property with users.profile.set
I have a Slack bot application that needs to authenticate messages received. Instead of receiving a token from Slack, my application will provide a token to Slack. Slack would then send the token to my application during each request. My application can then authenticate who the message came from.
Is there a way on Slack's platform to be an Oauth provider to Slack or some way to authenticate messages?
Thank you
Ah I see! So, again, this is not precisely what you are looking for, but it comes pretty close:
What you can do is use your own OAuth system external to Slack and then tie the users in that system to the user_ids from your Slack team.
On request from a particular user, your bot could DM this user a unique URL that is tied to your own (slack-external) OAuth system. Once the process is complete you can associate your way of identifying users with that of Slack (ie. team_id and user_id)
As a result any message that your bot receives, which would include the user_id of the user that sent it, can now be checked against your own User model to see if this particular user has the required permissions or anything of that nature.
This way you can essentially use any OAuth system in conjunction with Slack's methods of identifying users. It's a bit hacky, but it works.
I built something like this a few months ago. Here we are using the Mondo API's OAuth on top of Slack's own OAuth: Mondobot
The file with the relevant code is this one.