401 UnAuthorized Error with Service Account using EWS - service

I had the Exchange Server Admins create an email account for me that I could use for EWS API testing (it was not an AD account). I used EWS api with no problem (using webCredentials). This app that uses EWS API consumes information from a mailbox and does stuff with it.
Now we had a service account created that will be used for a service on a server running the application. If I use the credentials for this service account (when I entered the credentials via WebCredentials) I get a 401 UnAuthorized.
I also used the EWSEditor and the same thing happens.
Any ideas about what I should be looking for or what to ask the AD/Exchange admins to check/change, etc?

I had the Exchange Server Admins create an email account for me that I could use for EWS API testing (it was not an AD account)
So this is technically incorrect, eg there is no such thing as an email account with Exchange you have an AD Account and the administrator then creates a Mailbox that is associated with that Active Directory Account (so be careful with what the admins are telling you if they are saying there is no AD Account).
Now we had a service account created that will be used for a service on a server running the application. If I use the credentials for this service account (when I entered the credentials via WebCredentials) I get a 401 UnAuthorized.
Is the service account mail enabled ? the easiest thing to do is ask them to Mail Enable (create a Mailbox) for the service account (if they don't want it to appear in the GAL then tell them to hide it). You should then be able to logon and at least access the Mailbox of the service account as you where with you previous code or the ewsEditor. To then access the Target Mailboxes you want to access you just need to be assigned rights (Eg add-MailboxPermissions and wait 15 minutes for application).

Related

SP REST access using guest account

I am trying to access a SP site outside of my tenant using a guest account provided by the third-part company.
According to them, the access is given using Azure B2B (ExternalAzureAD).
I want to access the SP site using Power Automate to copy files to my tenant. It is a specific list, but not specific files.
I tried performing common HTTP SP Rest requests (the connector using the guest account) and HTTP using AAD, but I keep having "401 UNAUTHORIZED" as a response.
Any ideas on how to perform this call? I have very little room for requests with the third-part company, and a request to register an application user to generate a token for me is almost certain to be denied.
What could I try here?
Thanks!

MsGraph WebAPI access a shared mailbox

I need to read mail off a shared mailbox in a Web API. The Web API will not be running on behalf of an user and there is no user interaction. What is the flow I should use to authenticate https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows. I tried the standard authentication using an applicationID and secret but when I tried to access the shared mailbox through I got an access denied error. Also how will the maintainer of the shared mailbox grant the application access ?
First the delegation or sharing of a mailbox is done through the outlook client.
Microsoft Graph Shared mailbox access - documented here for shared mail folders is the same as non shared mailboxes but with the shared mailbox permissions ie Mail.Read.Shared or Mail.ReadWrite.Shared and only works for delegated permissions.
That said when it comes to flow to use, it depends on your requirements. From what you have described you should be able Client credentials flow and applications permissions Mail.ReadBasic.All, Mail.Read, Mail.ReadWrite
Another point is that if your API will not run on behalf of a user then the context of shared mailbox does not apply because Graph will consider shared access if the access token has delegated permissions but with application permissions access, it does not apply. This is why the permissions Mail.Read.Shared or Mail.ReadWrite.Shared are not available on application permissions.
To better understand:
GET /users/{id | userPrincipalName}/mailFolders.. will only work if id | userPrincipalName is not the signed in user and Mail.Read.Shared or Mail.ReadWrite.Shared are added as delegated permissions
GET /users/{id | userPrincipalName}/mailFolders.. without signed in user will not consider the mailbox as shared.

Test the pass through authentication connection of a new website using PowerShell

I need to test the pass through authentication connection of a new website using PowerShell.
The code that I have just creates the website.
New-WebApplication -Name DLTItemAnalysis -Site 'Default Web Site' -PhysicalPath C:\inetpub\wwwroot\ApplicationFolder\ApplicationFolder -ApplicationPool ApplicationPool
Set-WebConfiguration "/system.applicationHost/sites/site[#name='Default Web Site' and #id='1']/application[#path='/Application']/VirtualDirectory[#path='/']" -Value #{userName=$ServUserName ;password= $ServUserPassword}
Is there a way to also test the user connection like the GUI has?
I am not really sure what you are asking for here. for as documented:
It is an authentication bridge and a new powerful way of cloud authentication while still keeping your passwords on-premise. It securely validates user passwords with on-premise Active Directory without the need of extra on-premise infrastructure like ADFS. Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. This feature provides your users with a better experience - one less password to remember and reduces IT helpdesk costs because your users are less likely to forget how to sign in. When users sign in using Azure AD, this feature validates users' passwords directly against your on-premises Active Directory.
When a user types in his user name and password on office 365 portal https://portal.office.com, office 365 service encrypt this using public key and puts it in a queue for validation, one of lightweight agent makes an outbound call from your network to retrieve the user name and password and decrypts the password using organization’s private key and validate it against local AD. Local AD sends back the resulting success or failure and it goes back to Azure portal via an agent and the user is authenticated.
So, this is nothing more than a standard Windows Kerberos auth request being redirected. So, you are only require testing for normal Windows auth.
As noted above, PTA is a communications channel, not an auth type, like basic, integrated, Kerberos, Kerberos(required), etc. For a target to validate a specific auth type, the target has to be configured for it. There is not PTA auth type as noted above that you can configure on a target.
Microsoft's PTA Video
User sign-in with Azure Active Directory Pass-through Authentication
What is Azure Active Directory Pass-through Authentication? Azure
Active Directory (Azure AD) Pass-through Authentication allows your
users to sign in to both on-premises and cloud-based applications
using the same passwords. This feature provides your users a better
experience - one less password to remember, and reduces IT helpdesk
costs because your users are less likely to forget how to sign in.
When users sign in using Azure AD, this feature validates users'
passwords directly against your on-premises Active Directory

Reading Sharepoint user profiles in Office365 using REST API on behalf of an application - Error 500

I am trying to read sharepoint user profiles using REST Api on userprofiles.peoplemanager Service.
We defined an application in azure AD, with "Sharepoint: read user profiles" permission for both application and on behalf of a user.
When i request the service on behalf of a user (for example getpropertiesfor(#v) with any user identifier passed as parameter), everything is working fine.
When i execute the exact same request on behalf of the application, i'm getting a HTTP 500 error.
Am i doing something wrong ?
What am i supposed to be allowed to execute on behalf of an application with the Azure AD permission "Sharepoint: read user profiles" ?

Using O365 REST APIs can I then use Discovery APIs to find user's 0365 SharePoint servers via Oauth2?

we've seen this SO question already and using the O365 REST API we have a working Oauth2 workflow that authenticates an O365 user and returns an access token. Our question is: Once we have an access token for a user, how can we discover the user's SharePoint servers (and associated endpoints) without knowing the authenticated user's O365 SharePoint server URLs ahead of time?
Our application uses Oauth2 workflows to access data on behalf of users from GitHub, DropBox, Google Docs and other services, and typically once user permission has been granted and we have an access token there is a straightforward way of querying/retrieving the resources for the user via the access token.
Once we have an access token, we're calling the O365 Discovery Services. If I'm reading the docs correctly, we should be getting back ServiceInfo entries on a request to the O365 /Services endpoint with an access token, like this:
https://contoso-my.sharepoint.com/personal/alexd_contoso_com
https://contoso-my.sharepoint.com
But at present we only get back O365 File and Contact ServiceInfo entries, even though in the Azure Portal when we created our app we specified Office 365 SharePoint Online Delegated Permission ('Read List').
If there are different O365 endpoints we should be hitting once we have an access token in order to discover a user's SharePoint servers, or if we're using the Discovery Services wrong, please provide a few pointers -- We want to solve this problem in a generic fashion based on Oauth2 workflow and don't want to prompt the user for things like O365 SharePoint Server URLs.
Lastly I'd mention that we're accessing this info in a purely RESTful fashion and we have no Windows-specific dependencies (in fact we're building things on the JVM) so a workable solution for us must not depend on Windows-only APIs or platforms.