MSGraph read shared mailbox messages through app service - microsoft-graph-api

I am writing an api using the msgraph api which should be able to read mail from shared mailboxes. I have setup the application in Azure and have given the following permission (my app is running as its own service and not on behalf of an user)
What I am confused about is
Why does it show Delegated, all the rest of my permissions to the application show Application.
Since this is an application how does an user share a particular mailbox with this application, what I can think of is to create a service account, then this application impersonates that service account and then uses the service account to access the shared mail, but this sounds like a really complicated process and am wondering if I'm heading down the correct path.
thanks in advance.

From the Microsoft graph permissions reference, Mail Permissions Mail.Read.Shared and Mail.Send.Shared require a signed in user which is why the permissions show up as delegated. To the best of my knowledge, there isn't currently a way to access shared mailboxes via Ms graph without a signed in user.
Please let me know if this helps, and if you have further questions.

Related

Sending Email using MS Graph API

I have an App. registered as multi-tenant in azure, configured to allow access to users from other tenants including personal accounts etc..
But it fails when I tried to send using an external personal account. However it is working fine on the tenant members.
My question is, is it required for an external user to have an Exchange License to send email using the Graph API via my app?
If I'm sending using the application scope sendMail, does the user I used to send the email from needs to have a valid exhange license?
Thanks!
I need some experienced opinions or links to a helpful articles about my issue.
Yes, the user you are using to send the email using application permission must have a valid Exchange license.
Also, user has to be part of your tenant while using the application permission otherwise it will just throw 404 not found
Yes, user should be licensed. And to be accessed with personal accounts your application should be registered with audience as "Accounts in any organizational directory and personal Microsoft accounts" https://learn.microsoft.com/en-us/graph/auth-register-app-v2

How to get permission for an application to access Microsoft Graph API using mail?

As of now, I have created an application that has certain permissions to access Mail Information of certain users in an organization. Till this point, admin from the organization would create the service and provide the credentials.
However, as a plan to scale the application to multiple organizations, I'd like to send a mail to admin to grant access for the permissions and automatically get the credentials.
I'm open to alternative ideas. Any ideas if the above is even feasible?
This is quite impossible to automate the complete process creating, and admin still need to approve the permission in Azure AD. What you can do here is ,just create the application and if user tries to access the app but they can't give consent ,they need to trigger a request for admin approval that can be sent by an email .
To allows admin consent request to be sent via email Configure the admin consent workflow , please follow the docs - Azure AD | Microsoft Docs
Hope that process will help you .

MS graph api - scope access to particular user inbox

We have an app registered on Azure AD (we got app ID, secret, redirect URL). This app is a daemon/background application which is performing actions on behalf of a user, there is no signed-in user that can grant permissions. In particular, the app will periodically retrieve all emails from a particular outlook mailbox called my.test#org.com
We are following the permission scoping documentation and the permission documentation when there is no signed in user.
In my understanding we need
to give application-permissions on the API permissions page in Azure AD
create a security group which is somehow assigned to the mailbox we want to read from via
New-ApplicationAccessPolicy
-AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b
-PolicyScopeGroupId EvenUsers#contoso.com <-- would I put here my.test#org.com or the ID of the security group?
-AccessRight RestrictAccess
-Description "Restrict this app to members of distribution group EvenUsers."
Is my understanding correct that both of the above steps are needed. It seems strange that in the first step we can only give tenant wide permissions to the application when we really only need to limit it to one particular mailbox.
Thanks for the help
The above steps looks good to me and i would do the same as well. Just provide necessary Graph permissions while you grant permissions to access your/others mailboxes - as described in the documentation/steps.

Microsoft Graph API - how to grant access for my inbox via API to specific user(s)

I have a question about handling permission grants of inboxes via Microsoft Graph API.
Is it possible via Microsoft Graph API to grant another user the access permission to my inbox messages?
I dont found any suitable operation until now.
Retrieving relased mailboxes from another user works fine, but how to make my own inbox visible to specific user that he has the grant to access my inbox?
I dont found a operation under:
https://graph.microsoft.com/v1.0/users.....
or https://graph.microsoft.com/v1.0/me.......
Thanks for your help
According to the documentation, you'll need delegated access.
If the app has the appropriate delegated permissions from one user, and another user has shared a mail folder with that user, or, has given delegated access to that user.
At this moment you have no way to share your mailbox by using the api. If you however shared your mailbox with some other user, they will be able to access it.
I think it's a good thing that you cannot share your mailbox from an app, because it would be easy to compromise a mailbox of some user by a malicious app. If you really want you might be able to share the users mailbox by using EWS (that is the same connection the Outlook app uses).

Transparent LiveConnect OAuth 2.0 authentication possible?

I am currently working on an application that allows users to upload/download files. My company wants to have user files stored in their One Drive and not on our server. The only problem with this is that we want to avoid double authentication in order to access their OneDrive account.
For example we have n users associated with an organization. This organization has a single OneDrive account that all of the users will share (legal?). Once a user authenticates to our application, the idea is to have our application sign them in without user interaction by using the Live API so that they may access their organizations files.
Do we have to authenticate every time we wish to use this service or just once?
It's not a big deal for us to do this once for every organization when setting up their account but a requirement is to avoid double authentication. We want the OneDrive storage to be transparent to the user.
Does this violate any of Microsoft's Terms and Conditions?
Thanks! Any input is appreciated as I've never worked on a cloud based application before. If OneDrive isn't a viable solution are there any other recommended services my company could look at?
Consumer OneDrive isn't intended for business use and sharing a single OneDrive account for multiple people isn't recommended either. You should look into OneDrive for business for your scenario: https://onedrive.live.com/about/en-us/business/.
OneDrive for Business uses the SharePoint developer APIs: http://blogs.msdn.com/b/sharepointdev/archive/2013/08/13/access-skydrive-pro-using-the-sharepoint-2013-apis.aspx
I found that the Box API does not support a grant type of passworrd. Neither does OneDrive or DropBox. Without this grant type it is impossible to sent a username and password to log a user in.

Resources