I am trying to request an access token for EWS with a regular #outlook.com Office 365 account. Using EWS with Basic Auth is working without problems.
I am requesting the scope
https://outlook.office365.com/EWS.AccessAsUser.All
from https://login.microsoftonline.com/common.
With an account from our organization this token is granted and access is possible. But with the #outlook.com account it givers me the error
The provided resource value for the input parameter 'scope' is not valid
Where is the difference between an organization Office 365 Account and #outlook.com account. And why are the valid scopes different?
The scope is "https://outlook.office.com/EWS.AccessAsUser.All".
Try this code: https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth
Related
My question is, does Microsoft Graph work without User.Read scope ? I am not able to request the email profile openid permissions directly.
It throws AccessDenied error. So is User.Read pre requisite for email profile or openid ?
User.Read is just the delegated permission for getting the user profile using MS Graph Get User. If your app does not need to read the user profile you don't need this permission but in most cases you do because you app is acting on behalf of the user.
Does Microsoft Graph work without User.Read scope ?
No, but in most cases, you need the scope to read user profile and call /me endpoints.
You should check the api document to see if calling that api required User.Read permission.
For instance: I wanna call this api to list emails, and we can see that this api provides 2 kinds of permissions, one is for delegate, another is for application(this means client credential flow is supported). All the api permissions are listed here and we need to go to azure ad portal to add the api permission to your azure ad application which used to generate access token.
After generating the access token, you can user jwt decode tool to check if your access token contains correct scopes(for delegate permission) or roles(for application permission). Using a correct token to call the api will not lead to AccessDenied error. By the way, newly added permission may be deferrable to take effect.
I have question 'bout using EWS with Oauth2.0 Client Credential.
In our directory, there're users with member type and guest type, however, all of our administrators are from Microsoft directory(using v-xxx#microsoft.com) and they are under guest.
My question is if it's possible to use credential client grant type, and use EWS to send email behalf of these guest users?
For now, I tried to use EASendMail sdk to achieve this task. However, whenever I use account within our directory(member type) I get "There is no SMTP email associated" which is what I expected, 'cause we do not have email address associated with these users. But when I tried using (v-xxx#microsoft.com) , "Mailbox does not exist" error is raised.
Thank you.
You can do as long as the app has been granted impersonation permissions. OAuth is supported for the client credential flow(app permissions) & impersonation to do so.
I would like a JWT access_token to contain a list of security group. From reading the documentation I attempted setting "groupMembershipClaims": "All", in the manifest of my application regostraton.
The setup is that I have a azure ad domain with 2 users. Then I have 2 groups: [user, admin] Each user has one of the groups assigned to it. Each group is of type security.
I am attempting to perform the OAuth Code flow manually, by going to the url formated similar to this:
https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/authorize?client_id=<application-id>&response_type=code&redirect_uri=http://localhost:8080&response_mode=query&scope=offline_access%20user.read%20mail.read&state=12345
Then I login using the user account I setup in azure ad. Then I use postman to submit a post request to https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token with parameters:
client_id = <client-id>
code = code from previous login,
redirect_uri = http://localhost:8080
grant_type = authorization_code
scope = user.read mail.read
I get a valid response back, with an access_token. However when I decode it there is no group claim listed at all.
How can I get the groups listed in the token?
According to my research, Azure AD v2 endpoint of Azure Active Directory does not yet support groups claims in its token. For more details, please refer to the document. If you want to get all groups one user belongs to, you'll need query the groups from Microsoft Graph API. You can find the API documentation here:https://learn.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0.
If you use the app to access own API, in order to get group claim in the access_token, you need to configure the groupMembershipClaims value as you want in the API manifest, then you could get the group claim information in the access_token.
But if the access resource is MS graph API or Azure AD graph API, you could not configure for them, you could only use the openid connect to get the id_token, and then you could see the group claim in the id_token. In your flow, you could add openid in the scope, then you could find the group information in the id_token.
I tried oauth2 code flow in the postman:
And it returns the access_token and id_token. To parse the id_token, I get the group information:
I'm trying to hit https://graph.microsoft.com/v1.0/users/{userId}/mailboxSettings endpoint with an auth token and in return receiving a 403 Error Access Denied response.
I have granted both application level and delegated permissions for MailboxSettings.Read, MailboxSettings.ReadWrite. I can verify that these permissions are enabled on the installed application via examination of my decoded auth token with the jwt.ms. Here is the exert from the decoded token:
"scp": "Directory.AccessAsUser.All Files.ReadWrite.All Group.ReadWrite.All Mail.Read Mail.ReadWrite Mail.Send MailboxSettings.Read MailboxSettings.ReadWrite Sites.ReadWrite.All"
I have also verified that the user I am requesting mailboxSettings for has been granted access via Admin Consent.
I am able to return mailboxSettings if I hit the endpoint for either the admin userId or the https://graph.microsoft.com/v1.0/users/me/mailboxSettings endpoint. Any help would be much appreciated.
Quickly I tested with Microsoft Graph Explorer and it works for me. So i would request you to test the above API call with Graph Explorer and see if you can repro the issue or not.
I believe the problem is that your token was generated using Delegated scopes. The Delegated flavor of MailboxSettings.Read and MailboxSettings.ReadWrite may only access the currently authenticated user’s mailbox.
In order to access other users, you need to use Application scopes. You can read more about how these scopes work (and how to select them) in this blog post: Application vs Delegated Scopes.
As others have stated, delegated token only works for reading the mailboxSettings of the currently authenticated user. I had enabled mailboxSettings as an Application scope, yet I was getting the same error. The culprit of the issue was that I was using the Auth code grant for the token.
After switching to Client Credentials grant, I am successfully retrieving an Auth token that contains the mailboxSettings Application level scope, and am able to get 200 responses on endpoints for all users.
I am new to Azure and Microsoft Graph API.
I am trying to access: https://graph.microsoft.com/v1.0/me/messages
and I am getting a `404 Not Found.
I took the access token and decrypted in JWT and I can see the access token contains my name and credentials and the scopes defined are :
Directory.AccessAsUser.All Directory.Read.All email Files.ReadWrite Group.Read.All Mail.Send offline_access openid profil.Read
Can someone please suggest why I am getting a bad request?
In order to list (read) the mail messages (as described here) you need the Mail.Read or Mail.ReadWrite (if you also want to write messages) permission (scope).
With respect to mailing functionality you only have requested (or granted?) Mail.Send permission which only allows you send message (as described here).
The email claim is OpenID Connect specific claim and provides the logged-in user's email as claim. It has nothing to do with Exchange Online and sending/receiving e-mails.