I need to read mail off a shared mailbox in a Web API. The Web API will not be running on behalf of an user and there is no user interaction. What is the flow I should use to authenticate https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows. I tried the standard authentication using an applicationID and secret but when I tried to access the shared mailbox through I got an access denied error. Also how will the maintainer of the shared mailbox grant the application access ?
First the delegation or sharing of a mailbox is done through the outlook client.
Microsoft Graph Shared mailbox access - documented here for shared mail folders is the same as non shared mailboxes but with the shared mailbox permissions ie Mail.Read.Shared or Mail.ReadWrite.Shared and only works for delegated permissions.
That said when it comes to flow to use, it depends on your requirements. From what you have described you should be able Client credentials flow and applications permissions Mail.ReadBasic.All, Mail.Read, Mail.ReadWrite
Another point is that if your API will not run on behalf of a user then the context of shared mailbox does not apply because Graph will consider shared access if the access token has delegated permissions but with application permissions access, it does not apply. This is why the permissions Mail.Read.Shared or Mail.ReadWrite.Shared are not available on application permissions.
To better understand:
GET /users/{id | userPrincipalName}/mailFolders.. will only work if id | userPrincipalName is not the signed in user and Mail.Read.Shared or Mail.ReadWrite.Shared are added as delegated permissions
GET /users/{id | userPrincipalName}/mailFolders.. without signed in user will not consider the mailbox as shared.
Related
I am new to the Microsoft Graph PowerShell SDK.
The commands below all launch a browser tab where I am prompted to login.
I login with my Microsoft account which has these roles:
SharePoint Administrator
Global Reader
Power Platform Administrator
The account is also specified as an Admin of the global term store taxonomy.
In order to list all sites in a tenant (List sites), I try to connect with:
Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All", "Sites.Read.All", "Sites.ReadWrite.All"
In order to export term store taxonomy (Get store), I try to connect with:
Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All", "TermStore.Read.All", "TermStore.ReadWrite.All"
In both these instance, after logging in with my admin account, I am getting the error shown below in the browser:
Need admin approval
unverified
needs permission to access resources in your organization that only an admin can grant.
Please ask an admin to grant permission to this app before you can use it
I do not get this error when connecting with the following:
Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All"
Troubleshooting
Perhaps the research below can shed some light on an answer as to why this is happening and how to resolve it?
If I look at the docs for the Graph API endpoints I am wanting to query, I can see the Permissions are as follows:
List sites
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
Not supported.
Delegated (personal Microsoft account)
Not supported.
Application
Sites.Read.All, Sites.ReadWrite.All
Get store
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
TermStore.Read.All, TermStore.ReadWrite.All
Delegated (personal Microsoft account)
Not supported.
Application
Not supported.
How do these permissions relate to using the Graph PowerShell SDK?
Per the quote below from the official docs, I believe using the SDK as I have above is considered delegated access?
The PowerShell SDK supports two types of authentication: delegated
access, and app-only access. In this guide, you'll use delegated
access to sign in as a user, grant consent to the SDK to act on your
behalf, and call the Microsoft Graph.
So I guess my scenario is Delegated (work or school account)?
Questions
01) If so, does that mean I cannot make any request where the API docs define the Permissions as:
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
Not supported.
02) If that is the case, does that mean that the Microsoft Graph PowerShell SDK is not a good tool for administering SharePoint Online (because, according to the API reference docs, many of the endpoints are 'not supported' by a Delegated (work or school account))?
Thanks for reaching out to us , this looks like you are not using your admin account, please cross check the account you are logging in PowerShell. please follow below steps .
Try to disconnect your previous account from PowerShell (use command Disconnect-MgGraph)
Then try connect with your account ,use Connect-MgGraph
You will get a pop up , select the account in which you are the admin.
Then run the command and try again
Edited :
Agree with scottwtang comments ,If you are using the correct account make sure admin consent requests are Enabled in your tenant , you can check by following the below steps and ask your Global Administrator to grant admin consent
To check the admin consent workflow and choose reviewers:
Sign in to the Azure portal with one of the roles listed in the
prerequisites.
Search for and select Azure Active Directory.
Select Enterprise applications.
Under Manage, select User settings. Under Admin consent requests,
select Yes for Users can request admin consent to apps they are
unable to consent to . Configure admin consent workflow settings
ref doc - https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow
Hope this help ,
Thanks
I had the Exchange Server Admins create an email account for me that I could use for EWS API testing (it was not an AD account). I used EWS api with no problem (using webCredentials). This app that uses EWS API consumes information from a mailbox and does stuff with it.
Now we had a service account created that will be used for a service on a server running the application. If I use the credentials for this service account (when I entered the credentials via WebCredentials) I get a 401 UnAuthorized.
I also used the EWSEditor and the same thing happens.
Any ideas about what I should be looking for or what to ask the AD/Exchange admins to check/change, etc?
I had the Exchange Server Admins create an email account for me that I could use for EWS API testing (it was not an AD account)
So this is technically incorrect, eg there is no such thing as an email account with Exchange you have an AD Account and the administrator then creates a Mailbox that is associated with that Active Directory Account (so be careful with what the admins are telling you if they are saying there is no AD Account).
Now we had a service account created that will be used for a service on a server running the application. If I use the credentials for this service account (when I entered the credentials via WebCredentials) I get a 401 UnAuthorized.
Is the service account mail enabled ? the easiest thing to do is ask them to Mail Enable (create a Mailbox) for the service account (if they don't want it to appear in the GAL then tell them to hide it). You should then be able to logon and at least access the Mailbox of the service account as you where with you previous code or the ewsEditor. To then access the Target Mailboxes you want to access you just need to be assigned rights (Eg add-MailboxPermissions and wait 15 minutes for application).
I have an office 365 account from work and it is not admin. When I try the Graph API for Planner to get all the plans, It responds with Insufficient privileges to complete the operation. I know that it requires the permission of "Group.ReadWrite.All". If I ask my boss for this permission, Is it going to be limited to my account only or is it going to make my account an admin which i will not likely get it.
If you are using Application Registration Portal to get the token:
In Application Registration Portal set the permission that you need, for example
Group.ReadWrite.All and Directory.AccessAsUser.All. Always you must use Directory.AccessAsUser.All because users need login and get the token.
When save Application Registration Portal go to Azure Portal, in Azure Active Directory --> Enterprise applications --> click in you application --> "click in consent permission for username..." --> login --> accept.
Use librarys as hellojs and get a token.
I am trying to make request to the Graph API using a service with no UI. I downloaded the following sample code and followed the instructions: https://blog.kloud.com.au/2015/12/14/implementing-application-with-o365-graph-api-in-app-only-mode/
I successfully get an Access Token, but when using it to make a request to get organization information (required Read Directory Data access), I get 403 Unauthorized.
I have registered my app in Azure AD (where I am a co-administrator).
I have specified Microsoft Graph in the 'permissions to other applications' section, and given Read Directory Data access.
Interestingly there is a note below saying 'You are authorized to select only delegated permissions which have personal scope'. Even though I clearly did. Why? I suspect this is the source of my problem.
Likewise I have checked my demo app against these instructions: https://graph.microsoft.io/en-us/docs/authorization/app_only, but it makes no mention of what role in Azure you need to have.
in this SO post's answer, there is mention of still needing to Consent. I haven't found any documentation about this.
You are authorized to select only delegated permissions which have personal scope
This issue is caused that the app is created by none admin and when they visit the portal then will see this message.
To grant the app-only permission to the application, we need to be the administrator of the tenant. It is different with the co-administrator. To user the Client Credential flow, I suggest that you contact the admin of the tenant to create an application for you. And if you were just for testing purpose, you can create a free tenant and register the application yourself.
Update
We need the assign the Global administrator director role as figure below to make the application works for the client credential flow:
we've seen this SO question already and using the O365 REST API we have a working Oauth2 workflow that authenticates an O365 user and returns an access token. Our question is: Once we have an access token for a user, how can we discover the user's SharePoint servers (and associated endpoints) without knowing the authenticated user's O365 SharePoint server URLs ahead of time?
Our application uses Oauth2 workflows to access data on behalf of users from GitHub, DropBox, Google Docs and other services, and typically once user permission has been granted and we have an access token there is a straightforward way of querying/retrieving the resources for the user via the access token.
Once we have an access token, we're calling the O365 Discovery Services. If I'm reading the docs correctly, we should be getting back ServiceInfo entries on a request to the O365 /Services endpoint with an access token, like this:
https://contoso-my.sharepoint.com/personal/alexd_contoso_com
https://contoso-my.sharepoint.com
But at present we only get back O365 File and Contact ServiceInfo entries, even though in the Azure Portal when we created our app we specified Office 365 SharePoint Online Delegated Permission ('Read List').
If there are different O365 endpoints we should be hitting once we have an access token in order to discover a user's SharePoint servers, or if we're using the Discovery Services wrong, please provide a few pointers -- We want to solve this problem in a generic fashion based on Oauth2 workflow and don't want to prompt the user for things like O365 SharePoint Server URLs.
Lastly I'd mention that we're accessing this info in a purely RESTful fashion and we have no Windows-specific dependencies (in fact we're building things on the JVM) so a workable solution for us must not depend on Windows-only APIs or platforms.