What is the purpose of the new delegated scope "Read user and shared mail" in Azure AD for Office 365 Exchange Online.
Is it for accessing shared mailbox with Outlook REST Api? It seemed impossible until now.
Is there some documentation available? Is this scope requires admin_consent?
?
Yes. This permission is used for accessing the messages from the shared mailbox. However we need to specify the shared mailbox we want to retrieve the messages from. Here is an example for your reference:
GET: https://outlook.office.com/api/v2.0/users/sharedmailbox#yourtenant.onmicrosoft.com/messages
Is there some documentation available? Is this scope requires admin_consent?
I didn't find the any document about this scope and based on the test this scope doesn't require admin consent.
Related
I can query my own One Drive for Business account files as 'The Global Admin' using Microsoft Graph API. I cannot query another One Drive for Business user's files as 'The Global Admin' using Microsoft Graph API.
Own Files:
https://graph.microsoft.com/v1.0/me/drive/root/children
Another User:
https://graph.microsoft.com/v1.0/users/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/drive/root/children
I am using an Azure AD registered app with following Application permissions:
Files.ReadWrite.All
Sites.Read.All
Sites.ReadWrite.All
User.ReadWrite.All
offline_access
However, when I go to Office 365 Admin and
Choose that another One Drive for Business user (for which I could not query files using MS Graph API) => OneDrive => Get access to files => Click Create link files
then I can successfully query that another user's files using MS Graph API.
If Global Admin needs to query files of all user accounts using MS Graph API when there are 100s of users then this method might not be practical.
Is there any easier way or programmatically possible to give Global Admin the permissions to query files of all user accounts using MS Graph API. If yes, how do we do that.
Thanks!
As you've observed, a tenant admin cannot implicitly access any user's content. You have the power to grant yourself that access but that is cumbersome to do at scale. If you're a tenant admin you have another option though - use an "app-only" (i.e. application permissions) token. You'll have to consent the app for your tenant, but after that it can access content across your tenancy.
We have an app registered on Azure AD (we got app ID, secret, redirect URL). This app is a daemon/background application which is performing actions on behalf of a user, there is no signed-in user that can grant permissions. In particular, the app will periodically retrieve all emails from a particular outlook mailbox called my.test#org.com
We are following the permission scoping documentation and the permission documentation when there is no signed in user.
In my understanding we need
to give application-permissions on the API permissions page in Azure AD
create a security group which is somehow assigned to the mailbox we want to read from via
New-ApplicationAccessPolicy
-AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b
-PolicyScopeGroupId EvenUsers#contoso.com <-- would I put here my.test#org.com or the ID of the security group?
-AccessRight RestrictAccess
-Description "Restrict this app to members of distribution group EvenUsers."
Is my understanding correct that both of the above steps are needed. It seems strange that in the first step we can only give tenant wide permissions to the application when we really only need to limit it to one particular mailbox.
Thanks for the help
The above steps looks good to me and i would do the same as well. Just provide necessary Graph permissions while you grant permissions to access your/others mailboxes - as described in the documentation/steps.
I'm one of the It Administrators of our company and our developer need to approach with Rest Api to a certain mailbox on our office365
so he can get the email and the attachment within.
but for some reason i cannot see a way to limit the permissions to that specific mailbox
is there a way to limit those permissions to one mailbox ?
Yes you can, using an application access policy.
I have a question about handling permission grants of inboxes via Microsoft Graph API.
Is it possible via Microsoft Graph API to grant another user the access permission to my inbox messages?
I dont found any suitable operation until now.
Retrieving relased mailboxes from another user works fine, but how to make my own inbox visible to specific user that he has the grant to access my inbox?
I dont found a operation under:
https://graph.microsoft.com/v1.0/users.....
or https://graph.microsoft.com/v1.0/me.......
Thanks for your help
According to the documentation, you'll need delegated access.
If the app has the appropriate delegated permissions from one user, and another user has shared a mail folder with that user, or, has given delegated access to that user.
At this moment you have no way to share your mailbox by using the api. If you however shared your mailbox with some other user, they will be able to access it.
I think it's a good thing that you cannot share your mailbox from an app, because it would be easy to compromise a mailbox of some user by a malicious app. If you really want you might be able to share the users mailbox by using EWS (that is the same connection the Outlook app uses).
I'm trying to access a group calendar using the microsoft graph api as the application (I don't want to use delegate permissions).
If I request calendar events using the below I get the events for the user just fine.
https://graph.microsoft.com/v1.0/users/[emailAddress]/events
If I make a request to the following I get group information:
https://graph.microsoft.com/v1.0/groups/[groupId]/
If I make a request to this:
https://graph.microsoft.com/v1.0/groups/[groupId]/events
I get "Access is denied. Check credentials and try again."
In azure portal, I've given my app service the following Application permissions:
Calendars.Read
Calendars.Read.Shared
Group.Read.All
User.Read.All
What am I missing?
Applications permissions to list events is currently not supported. Also, listing events using delegated permissions with a Personal accounts is not supported. Please refer to List Events documentation which has the details. You can also refer to known limitations of Graph here.
A user voice on this feature request is also available here and you can upvote the same so that the product team can include into their plans.