I'm working on an app that is used by about 50 project managers to make quotations. When a quotation is ready, it is to be emailed to the intended customer from one of two accounts, lets call these Left and Right, depending on the postal code of the customer. We would like to use Microsoft Graph API to facilitate sending these emails. I'm confused as to whether I should get access to Graph 'on behalf of a user' or 'without a user'. The quotation is not sent from the account of the project manager that is logged into the app. It is sent from either the Left or the Right account. Thanks for any guidance!
On behalf of a user:
https://learn.microsoft.com/en-us/graph/auth-v2-user
Without a user:
https://learn.microsoft.com/en-us/graph/auth-v2-service
I think the choice depends on the way you set up your application.
The 'without a user' flow refers to a process in which there is no user that signs in. That means you need to obtain a token in that process to send an e-mail using the Graph API. If your admin has given consent to your application's permissions for sending e-mails, it is possible to send an e-mail as a given user. Rather than the user consenting on behalf of their inbox like the 'On behalf' flow, the admin can consent on behalf of all user's inboxes in a given tenant. You will need an auth token on behalf of your application and the id of the given user. Though this would personally not have my preference as technically e-mail can be sent from any e-mail address within the tenant.
You could use the 'On behalf' flow if the project managers do have access to the left or right account (like a shared inbox) and if the e-mail sending is invoked from the application itself. If it is not sent from that context, you would need to use the first option.
Related
I have a background application ( azure function ) which needs to send email from our service account to set of the users under same tenant . I am planning to use the GRAPH api to send the email and I can achieve it using below steps
a. Register an app in azure directory
b. Assign the application permission to send email as any user
c. Get the admin consent for that permission
d. write c# code to get the token and call graph api to send email
I do not see issue with the above approach except the fact that we will be getting the consent to send email as any user , which is quiet dangerous , this will enable me to send email as CEO or CFO of our company
could you please help or guide me if there is any way to send email on behalf of other user using graph api for demon applications ?
Regards,
Kumar
You can scope the Service principal permission just to the mailboxes you need to send as https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access. The other way is to have a service account and the grant it delegate access to mailboxes you want to send as but this is generally less secure and harder to maintain (eg you have username and password).
We have an app registered on Azure AD (we got app ID, secret, redirect URL). This app is a daemon/background application which is performing actions on behalf of a user, there is no signed-in user that can grant permissions. In particular, the app will periodically retrieve all emails from a particular outlook mailbox called my.test#org.com
We are following the permission scoping documentation and the permission documentation when there is no signed in user.
In my understanding we need
to give application-permissions on the API permissions page in Azure AD
create a security group which is somehow assigned to the mailbox we want to read from via
New-ApplicationAccessPolicy
-AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b
-PolicyScopeGroupId EvenUsers#contoso.com <-- would I put here my.test#org.com or the ID of the security group?
-AccessRight RestrictAccess
-Description "Restrict this app to members of distribution group EvenUsers."
Is my understanding correct that both of the above steps are needed. It seems strange that in the first step we can only give tenant wide permissions to the application when we really only need to limit it to one particular mailbox.
Thanks for the help
The above steps looks good to me and i would do the same as well. Just provide necessary Graph permissions while you grant permissions to access your/others mailboxes - as described in the documentation/steps.
I have a Slack App (source code) where I want to send reminders to channels where a certain piece of text has been mentioned the most on a schedule. It works, but there's a limitation:
The search.messsages API method only supports user tokens. I want this to run in the background, without interaction. Approaches that have come to mind:
Store my personal user token
Con: Would allow others with access to the token to be able to see my private messages
Create a fake user whose only purpose is that user token
Con: Have to pay for that fake user indefinitely, manage shared credentials, etc.
Any other ideas?
Here is what you can do:
Switch on distribution of the Slack app.
Have the admin, or an existing user on the Slack channel install the app. During the time of installation, you can ask for permissions with user token and search:read scope.
Now you can make all the searches using this user's token. You'll need to plan for the scenario where this user is deleted from the Slack workspace, your user token will stop working.
I don't think there is a way to control it from searching for your personal messages. Search functionality is dependent on the user token.
My organization has an institutional e-mail account in Outlook 365.
There is a small number of users who are responsible for managing that mailbox, reading, answering, forwarding and sending messages from that account.
I am writing a web application (PHP) to automate some messaging operations, so I implemented access to that account using Microsoft Graph. But this requires to login using that account's credentials, and I wouldn't like to share account's password (which I have) with those users.
Is it possible to to grant permission for those users' accounts so MS-Graph will allow them to read/write/send messages from that account, once they have logged in? If so, how would it done?
If this post lacks some relevant information I'm not remembering now, please comment and I'll edit to add it.
Thank you very much.
You could use admin consent for that purpose. Administrator can grant access for the entire tenant, and users will not be prompted for consent afterwards
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#requesting-consent-for-an-entire-tenant
I have an web application with existing users and user ids (i.e. not Slack user ids). I'd like to allow my users to install my new Slack app.
How do I know which of my users connects to Slack using OAuth and installs my app? I know you can request email but what if the Slack email is different from the email address used to originally sign up to my application.
It's crucial that I know which Slack users are linked to my existing users. Is there a way to send my existing users' user_id through the OAuth process so I know how to link a Slack user to one of my users?
Potential Solutions?
User's cookie will allow me to identify them upon the Slack OAuth
redirect.
Use the state variable as a way to identify a user on my
site
I would not use the state property to transfer user information. It's theoretical possible, but would defy the purpose of the state property as security measure.
Instead you just need to keep the user context on your website during the Oauth process (e.g. by storing the user ID in a server session), so you can store the connection between your custom user ID and the Slack user ID later.
Here is the full process:
You users will first need to log-in to your website to identify
themselves.
Your website will then have the user ID of the user and need to keep
this context, e.g. in a server session.
Next your user has the option to install your Slack app. After the
installation is finished the Oauth process will automatically
redirect your user back to your website.
You can then get the current user ID by calling auth.test
with the access token you just received.
Finally have both the custom user ID and the Slack user ID an can store
this connection, e.g. in your database for future reference.
Alternatively you can add this information to the Slack user as
custom property with users.profile.set