This question already has an answer here:
Does "Outlook Mail REST API" include access to corporate MS exchange server email?
(1 answer)
Closed 5 years ago.
Can the MicrosoftGraph API, specifically the WebHooks, be used for accounts on an enterprise / on-premise Exchange server as opposed to Office 365.
All the documentation I have seen for setting up the app required for OAuth authentication use Azure.
There is a "hybrid deployment" model currently in preview that allows you to traverse both on-prem and online mailboxes using Microsoft Graph. You can read about the infrastructure requirements at On-Premises Architectural Requirements for the REST API.
One note on authentication, Microsoft Graph uses OAUTH tokens to handle authentication. These tokens are issued by Azure AD but this does not mean that your entire infrastructure needs to be hosted on Azure, only that your AD be synced with an Azure AD instance using Azure AD Connect. Depending on the size of the organization you may even be able to use the Free trier of Azure AD. I highly recommend taking a look into this configuration as Azure AD is quickly becoming an assumed prerequisite for new APIs and services.
Related
We have a working outlook app using version 1_1 on O365. We are testing this with an exchange on prem only setup but with azure AD hybrid. The graph API functions we need work within this environment thanks to testing on graph api exporer.
When we push the manifest to exchange either via the exchange admin portal or via powershell we receive an error relating to webapplicationinfo being invalid. We have this within versionoverride 1.1 and that within versionoverride 1.0
If I remove the webapplicationinfo section which includes the scope, this will import ok, but when the app performs the function to get the auth token it fails, for which I am sure because the scope wasnt authorised.
No where i can find that says on prem is not supported. I find a lot of reference to 2016 CU3 but nothing specific to on prem. Can someone assist?
Exchange 2016 Cumulative Update 3 (CU3), released in September 2016 for Exchange on-premises servers, adds support for REST API integration with Microsoft 365. If your app uses v1.0 of the Mail, Calendar, or Contacts API, you will now also find a seamless authentication and application experience in hybrid deployments, regardless of whether the mailbox is on-premises or in the cloud, provided that the deployment meets specific requirements.
See Use REST APIs to access mailboxes in Exchange hybrid deployments (preview) for more information.
I'm trying to help someone to ingest Office 365 Alerts with the Graph Security API. This requires SecurityEvents.ReadAll as minimum permission. The docs mention that the permission setting is done in the Microsoft Graph API Explorer (see e.g. this blog). However, the account admin insists on setting the permissions using Azure AD. The question is how that is actually done. Azure AD / Enterprise Applications / Graph Explorer apparently doesn’t list any permissions. Would anyone know how to achieve this?
Many thanks!
If you want to test Graph Security API in Microsoft Graph Explorer, your just need to set SecurityEvents.Read.All in Microsoft Graph Explorer.
If you want to call Graph Security API in your app, you should set SecurityEvents.Read.All in the app registered on Azure portal.
You could refer to Authentication and authorization basics for Microsoft Graph to learn more about how to handle the permissions and authorization to call Microsoft Graph API.
Does anybody know if there is a rest API to the office 365 Security and Compliance center that can give me back any alerts raised by the Alert Policy?
It seems that there are some PowerShell cmdlets that allow the creation of new Alert Policies, but I would like to pull down the alerts generated by these policies (preferably without using PowerShell).
Maybe this is on the road-map for a future Microsoft Graph API?
Office365 security alerts are not yet supported, but this should be possible for Microsoft security products using the Public Preview of Graph Security API - aka.ms/graphsecurityapi.
Microsoft Graph Security API only has access to the following(now GA).
Microsoft Graph Security API to easily access alerts from the following security solutions:
Azure Active Directory Identity Protection,
Azure Information Protection,
Azure Security Center,
Microsoft Cloud App Security,
Microsoft Intune,
Windows Defender ATP, and
Office 365 ATP and Azure ATP (coming soon)
The blog post: Announcing Exchange ActiveSync v16.1 states that:
While not a part of EAS 16.1, we also want to note that both Office 365 and Outlook.com customers can now utilize the OAuth 2.0 protocol for authorization through EAS.
My question is: which scope should I use in the oauth request?
Is there an example, perhaps of the full request?
Note: there was a similar question about using OAuth for Office365 with IMAP, but here I'm specifically asking about ActiveSync. I referenced this question in a comment to one of the answers on that thread.
Secondary problem:
Thanks to Jason's answer and some additional tweaks, we managed to generate oauth token using https://login.windows.net/common/oauth2 but only for office365 users (Organization Accounts) and not to Microsoft users account (live, hotmail, outlook.com...)
The token allows access to both ActiveSync protocol (via https://eas.outlook.com/Microsoft-Server-ActiveSync) and for EWS API (via https://outlook.office365.com/EWS/Exchange.asmx).
Unfortunately we cannot find a way to generate same token for Microsoft online accounts (hotmail, live, outlook.com). We tried using this endpoint: https://login.live.com/oauth20_authorize.srf which allow only activesync and not EWS.
Is there a way to use the same token for both organization and online accounts on both protocols (ActiveSync and EWS)?
Sorry this took so long, but I wasn't aware of this question until today :). You need to register your app as a native application in Azure Active Directory:
Then add the Access mailboxes as the signed-in user via Exchange Web Services (under Office 365 Exchange Online) delegated permission.
NOTE: You cannot register this in the Application Registration Portal (https://apps.dev.microsoft.com), it needs to be registered in the Azure Portal (https://portal.azure.com/), and you need to use the v1 Azure auth endpoints for authorization and token requests.
We have a web application that uses the Microsoft Graph API and Outlook REST API. We implemented a code authorization flow. This means that its our web server that handles requests to Microsoft Graph and Office 365 APIs.
We are based in Europe (hosted within Azure). Now we would like to replicate our infrastructure overseas to serve a better end-user experience.
What would be the possible strategies regarding these MS APIs.
Is there a geographical affinity mechanism? Is it based on the geo localization of the requesting app (us) or the localization of the tenant (we have users everywhere)? Staying within Azure Data centers will provide better performance? What would be Microsoft recommendations?
I asked about this, and the answer was that yes, there is an affinity system based on the location of your app. It should hit the instance of Graph or Outlook that's closest to you.
Regarding running in Azure, we are continuously optimizing latencies for Microsoft-owned Azure-based apps & services to access the Graph and Outlook APIs. This work would accrue to all apps and services running in Azure.