I would like to create a subscription for incoming mails on a shared mailbox with Microsoft graph.
Background:
I have an app created with delegated user rights:
Read all webhook subscriptions (preview)
Read and write user mailbox settings
Read and write user and shared mail
I have created a shared mail box
I have added a user to that shared mailbox.
I have added the shared mailbox to the users folders so I see users mailbox and the shared mailbox in the WEB GUI
I have created a c# program to receive auth token, created subscriptions and listed messages from a mailbox
What works:
Receiving auth token
List messages of users mail box
List messages of shared mailbox
Create subscription on users mail box
It does not work if I try to create a subscription for incoming mails
in the shared mail box.
My resource string during creation of the subscription is:
Resource = users/xx#xxx.onmicrosoft.com/mailFolders('Inbox')/messages
As said works well with the users mail address but fails using the shared mail box address:
{
"error": {
"code": "ExtensionError",
"message": "Operation: Create; Exception: [Status Code: Forbidden; Reason: Forbidden]",
"innerError": {
"request-id": "xxxxx-8515-4048-8c05-f3eb91a1f69a",
"date": "2018-12-13T15:17:09"
}
}
}Subscription failed because:Forbidden
Did I use the wrong resource string here or did I miss an app right here?
according to
[Microsoft comunity][1]https://answers.microsoft.com/en-us/msoffice/forum/all/new-email-notification-for-shared-mailboxes/356cca22-6b23-440c-84a4-3a7b1c4021ad
this will never work
This is 'expected behavior' for shared mailboxes- you'd need to add it as an account, not a shared mailbox, to get notifications. You could use macros to watch the inbox and alert you when a new message arrived.
Related
I have an application configured within a AzureAD B2B tenancy that has the appropriate permissions (user.readwrite.all, user.invite.all) to send Invitations out to external (guest) users.
Those invitations are configured to send an email including a custom message AND an internal mailbox as a cc recipient eg:
{
"invitedUserDisplayName": "Display Name",
"invitedUserEmailAddress": "username#externalemailaddress.com",
"invitedUserMessageInfo": {
"ccRecipients": [{
"emailAddress": {
"address": "internal.mailbox#companydomain.com",
"name": "mailbox name"
}
}],
"customizedMessageBody": "a custom message"
},
"sendInvitationMessage": true,
"inviteRedirectUrl": "https://myapplications portal/"
}
This used to produce a single email that goes out To: the invited user's email address AND Cc: the internal mailbox with BOTH addresses visible on the same email. This is done to verify that the email was sent to the external user, verify which email it was sent to, and also give invited users a contact address they can reply to if they have any issues signing up.
However, as of the last couple of days, a change appears to have occurred. Now, it appears as if two separate emails are being sent where both recipients are receiving their own copy with only their own email address visible in the To: field.
So now, we cannot confirm the external user email was received or which address it was sent to without using Azure's logs. It also makes cc'ing the invitation to the mailbox pointless since there is no way of determining which user each invitation was sent to. (Without having to scrape Azure user object id's out of the invitation link and looking them up one-by-one.)
Has there been some sort of change recently with Microsoft Graph that would cause this? Is there some sort of configuration option within the Azure Admin Portal that would allow an admin to (perhaps inadvertently) change this behavior within the Tenancy? (Our admin has denied making any such change.)
Answering because the issue appears to have been resolved.
Invitations being sent out by Azure have reverted to previous behaviour with a single email to both recipients. Going back through our mailbox, the issue only existed from 16th-18th September. Perhaps some change was made in error on Microsoft's side and has been reversed.
I struggle to make app with ClientCredential auth flow to create subscription on SharePoint List.
Request:
var subscription = new Subscription
{
ChangeType = "updated",
NotificationUrl = "{validNotificationUrl}",
Resource = "sites/root/lists/{listId}",
ExpirationDateTime = DateTime.UtcNow.AddDays(2),
ClientState = "{clientState}"
};
subscription = await _graphClient.Subscriptions.Request().AddAsync(subscription);
Response:
Unauthorized 403
{
"error": {
"code": "ExtensionError",
"message": "Operation: Create; Exception: [Status Code: Forbidden; Reason: Access denied. You do not have permission to perform this action or access this resource.]",
"innerError": {
"date": "2020-08-04T13:01:27",
"request-id": "c480fa5d-4bbd-44a1-9f86-587548a29a19"
}
}
I've checked request access_token, and it has required permissions (Sites.ReadWrite.All, Sites.Manage.All according to documentation should be enough).
Reading Subscriptions and creating lists works fine for app.
I started to play around with different configurations, trying to isolate the problem, and managed to:
make app create subscription on users resource.
make delegated user create subscription on list
I feel quite lost, since I've given app more permissions than delegated user, and it still gets Unauthorized 403, and response error doesn't tell much how to resolve this issue.
Are there any configurations for SharePoint List subscriptions that need to be taken care of for app authentication only?
The service is currently experiencing an issue where app-only lists and drive subscriptions are getting an access denied when it shouldn't. The team is currently working to solve the issue. I suggest you follow this issue as we investigate the problem or that you open a support ticket asking to link your ticket to the ICM 200246697.
In delegated API permission mode, we are able to get events () from RoomMailBox calendar but not subscribe for notifications (webhooks) on events changes.
Each time we tried to create notification channel (https://graph.microsoft.com/v1.0/subscriptions) we got an error :
"error": {
"code": "ExtensionError",
"message": "Operation: Create; Exception: [Status Code: Forbidden; Reason: Access is denied. Check credentials and try again.]",
"innerError": {
"request-id": "XXXXXXXXXXXXXXXX",
"date": "XXXXXXXXXXXXX"
}
}
Moreover, we have full access on RoomMailBox by using user account we used on delegated mode (user account impersonated).
If we try it by using Application permission mode, it's working, we got a subscription channel. Everything is OK.
Could you tell if there is a way to subscribe RoomMailBox (actually it seems you just support UserMailbox & SharedMailBox) calendar events notifications in delegated API permission mode ?
It's a known limitation of create notification API currently.
Delegated user permissions are not allowed to create a subscription to a shared calendar.
Only application permissions (app-only) are possible.
If you need it to be provided, please submit a user voice request.
See a previous discussion here.
I have a background application and need to read outlook messages for user.
I created an application on https://apps.dev.microsoft.com after logging under this user.
I set the following permissions:
Then I try to create subscription:
where name of user in Resource property is the same as I logged to system when I had been creating application on https://apps.dev.microsoft.com
But I get
"Operation: Create; Exception: [Status Code: Unauthorized; Reason: No applicable user context claims found.]",
what is wrong?
When I try to list channel messages I get:
[...] "code": "UnknownError", "message": "Failed to execute backend request." [...]
This error is for all teams I don't belong to.
I have this error when trying to call the API from Microsoft Flow (with HTTP GET) but also with Graph Explorer: the account I used has FULL permission but still asks to check my permission:
Failure - Status Code 403, 656ms Looks like you may not have the permissions for this call. Please modify your permissions
And the registered application has the delegated permission needed to call this endpoint regarding the documentation:
GET /teams/{id}/channels/{id}/messages
https://learn.microsoft.com/en-us/graph/api/channel-list-messages?view=graph-rest-beta
Is it a bug because of the "beta" or something I've missed?
After searching and testing I can confirm that I was miss understanding how the delegated permission works.
The user need to have the permission to read the chat message meaning that the user need to be at least a member of the team who is concerned by the call.
I confirmed it by testing on a teams/groups where the account is not member of (result = Satus code 403) and everything is working with success after adding the account in the teams/groups
Does this mean that at the moment to be able to List channel messages from all teams in organisation we need to have a unique account member of each teams (=account used in the microsoft-graph call) ?
if anyone faced same situation this video helps to understand more easly the concept : https://www.youtube.com/watch?v=UPkHvy3eRCM