I need to create an application that sends emails by MS Graph but also I need somehow restrict it for few mailboxes who will sending email (e.x. avoid send mail as ceo). Before I used just Sytem.Net.Mail and because basic authentication is now deprecation I must find new way to sending mails.
So I registered new application AAD, I added API permission for MS Graph Mail.Send (application type). Now I want to add restricting for that Graph API (I want to limit who can send a message from this API.
I found that I must use New-ApplicationAccessPolicy cmdlet, but before that I created Mail-enabled security group.
Then via PowerSell I addes new policy:
New-ApplicationAccessPolicy -AppId "9e48a326-a952-42ca-882f-ff1eec699ba7" -PolicyScopeGroupId "SMTPOAuth2SecurityGroup#consto.onmicrosoft.com" -AccessRight RestrictAccess -Description "SMTP OAuth2 Connector"
Then I added two accounts AlexW and DiegoS - both are from Microsoft 365 Developer Program, so both were not modify by me in any way:
Test-ApplicationAccessPolicy -Identity "AlexW#consto.onmicrosoft.com" -AppId
"9e48a326-a952-42ca-882f-ff1eec699ba7"
AppId : 9e48a326-a952-42ca-882f-ff1eec699ba7
Mailbox : AlexW
AccessCheckResult : Granted
Test-ApplicationAccessPolicy -Identity "DiegoS#consto.onmicrosoft.com" -AppId "9e48a326-a952-42ca-882f-ff1eec699ba7"
AppId : 9e48a326-a952-42ca-882f-ff1eec699ba7
Mailbox : DiegoS
AccessCheckResult : Granted
But now I test my application. AlexW can send mail but for DiegoS (or random person) I got erorr:
DiegoS#consto.onmicrosoft.com:Code: ErrorAccessDenied Message: Access
to OData is disabled. ClientRequestId:
909c72f7-02b7-4697-afd5-3d65a58d47a5
I try to remove and again add, wait some time and still the same problem.
So, I need to create an application that sends emails by MS Graph but aslo I need somehow restrict
According to your description, I captured these key words: use graph api to send email, allow specific user to send email, api permisssion with application type. Then let's see the necessary parameter to send an email: sender, content, receiver.
Per my understanding, since you used application type permission, then you want to use client credential flow to generate access token and calling graph api to send the email, so you have to create an azure ad application(done), then you need to specify the sender(set restriction so that only AlexW and DiegoS can do it). Receivers and content are based on the requirement so we don't need to take them into consideration.
Here's a code snippet to send email via ms graph api. The only point we need to consider is how to set the sender user principle now.
Then here're 2 scenarios. If you need to ask users to sign in first then they can send email? Or what you created is just an API so that you only need to receive a parameter(e.g. parameter is the user principle used to send email) then use it to send email?
If you want to integrate the authentication then you can restrict users to access your app, then Azure ad already provided the feature to allow specific users to sign in then the ones who are allowed to sign in can send email, since they already signed in, we can certainly get the user principle.
If you just want to provide a web api, then you may store the users who are allowed to access your api into the database to so that you can check if the incoming request is legal...
Related
Is there any way to read mails from group email id or is there any way to read emails without graph api?
And also is there any way to restrict graph api token to read only from desired email account?
You should use GET /users/{id of group email}/mailFolders/{id}/messages to read mails from group email id.
See reference here.
If you want to restrict graph api token to read only from desired email account, you should implement Get access on behalf of a user. Then you will be able to access the signed-in user's email only.
To answer your first question, the following call will get you the emails in a group mailbox.
GET https://graph.microsoft.com/v1.0/groups/{group-id}/conversations
Can you ask your second question in a new post as it is not related to the first? Make sure you provide information about what you are doing. What auth flow are you using?
We have a Powershell script that creates some guest users using the New-AzureADMSInvitation cmdlet, and its return value has a handy-dandy InviteRedeemUrl property that we include in a nice welcome email to the user to get them started with setting their account up and using our application. This works fine when inviting individual or small numbers of users.
However, we'll need to do this for many users, and carefully control when the emails go out, and I can't see any other way of retrieving this URL after-the-fact... the only option seems to be the "Resend invitation" button on the guest user in AD, which sends a Microsoft-branded email from "Microsoft Invitations" with the redeem URL, which is kind of a problem... For marketing reasons we need to put the invite redeem URL in our own welcome email, so we don't want Microsoft sending out those emails.
Is there any way to retrieve or calculate that invitation URL after the guest user had already been invited? I know I could delete and recreate the invitation itself, but that's still a manual process and I'd like to be able to create guest users in bulk first, and then retrieve those URLs in bulk once we're ready to send out emails. Especially since Azure AD itself seems to be able to fetch the redeem URLs later on via the "Resend invitation" button.
Alternatively , you can think of adding you company branding in the verification and invitation mails in azure AD.
Here is something similar you can find:-
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-faqs#how-do-i-customize-verification-emails-the-content-and-the-from-field-sent-by-azure-ad-b2c
Basically you need to change the company branding in Azure active directory to have your custom logo and text.
Hope it helps.
We ended up modifying the AD invitation script to store the InviteRedeemUrl value in our CRM as a field on the customer record. Then later on when our Marketing team wants to start their email campaigns, they could include a reference to this field in the email template just like they would any other field. This way, we got all our analytics on click/open rates and retained complete control over the emails, including where each batch was being sent from (so customers could reply to the correct support staff member for their segment).
We are trying to implement a google home action and it needs access to customer's email.
I can see the documentation on this page mentioned we need to have explicit consent from the user. https://developers.google.com/actions/policies/general-policies
Just wondering what sort of consent do we need to implement in order to get customer's email?
Can I please get a sample consent?
Thanks,
Yihan
You will need to implement Account Linking in some form. If you have an existing service that gets their email address, you need to link the Action to the account they have established on your service already.
If you don't have an existing service, you can take advantage of Google Sign In for Assistant, which is a streamlined way you can get permission to access their Google Profile and, if they have one, their registered email address.
I've been working in a meeting management app using EWS SOAP service (Exchange 2010 SP1), but for meetings created on behalf of a certain user I cannot know who is this user when I try to get the meeting data through EWS SOAP.
In Outlook (2010 specifically) I can see the name of the account who has acting in behalf of another account on a meeting request for accept or rejection (e.g. Some User ; on behalf of; Another User ), then I want to retrieve the same information through EWS.
I tried to retrieve the meeting information using the example of https://msdn.microsoft.com/en-us/library/office/dn439786(v=exchg.80).aspx changing the Element IdOnly by AllProperties
but I cannot see the property that define who acted in behalf of this account
Is there any way to obtain this user's email or name?
I believe that you need to check this on the meeting request, not the appointment. Check the From and Sender, as I recall the Sender would be the delegate, and the From would be the delegator (though I may have them switched :))
My question is almost the same as this one
only difference is that users has an option to register (provides his username and password).Users should only have one account registered, if the user has the same email I merged those accounts. and my application has another method for logging in which is via Facebook.
What I basically do is
When The User visits the for site for the first time, he or she then
gets created a User Account where the it only has Username ,password
and mail address after that third-party identity record is created
and then paired with the local account.however the Users table will
have an empty Username and password, but the email will be filled
with the users email that we have retrieved from the third party
service provider
And the Second Scenario
Users attempts Register to the site. check if email exist if the
email exist but it is registered using a third party account, Use
the user populated form and insert it to the user account paired
with the third party account, in short if the users email exist in the database I
will just merged the locally created account and the third party
account.
Now my question is my approach secure and credible? if not what is the best way to merge accounts and at the same time if the user registers with the same email(the one from the third party account) and he has a third party account, those account would be merge?
The way I look at this, there is only one account. One email, one account period. There might be various attributes associated with that account, like for e.g. linked to a set of OAuth credentials etc. But fundamentally there is only one account. If your user has registered once using a social account and then try to register again on your site, send them over to the social site which they used to register the first time and ask them to login there. Then log them into your site automatically. If the user has an account with your site and then tries to register again with a social account, tell them that you already have an account on the site and ask them to login. IMHO, keeping separate accounts and trying to merge them is a messy idea.
I would provide two sets of behavior, one when logged in and one when logged out.
When logged in, you provide the ability to link to new third-party accounts. For example, you sign up with email address and password, then log in, then you can link your Facebook account. To link your Facebook account you authorize with Facebook and then store the Facebook information in that user account record.
When logged out, you must log in with existing credentials. If, when logged out, you try to create an account with an existing email address, you either prevent the log in, saying "an account with that email address already exists", or you immediately challenge the user to log in to merge the account (in which case it works like the logged in case when linking an external account, only with the order of authentication operations reversed).
In case it's not clear from the above, I recommend having a single user account and a way to record linkages between that account and external accounts. You can do this in NoSQL buy just adding fields to the user document or you can do this relationally by having a table representing external accounts with a foreign key linking them to the user ID.
Beware not to use oAuth 2.0 !
The lead author himself resigned as it's not as safe as the 1.0 version.
You should prefer oAuth 1.0 or OpenID.
You can also have a look at Persona from Mozilla