I have a short question about MS Exchange Server. I want to sign messages by custom ExtendedProperty on client mailboxes but I want to know that is there possibility to block privileges to set/get/create ExtendedProperties for me by Exchange Server Admin if I have read privileges to read mailbox?
No you can't do that the owner of the Mailbox will always have rights to do what they want to any message in their own mailbox. IRM is probably more what you need to look at for a solution like that https://support.office.com/en-us/article/introduction-to-irm-for-email-messages-bb643d33-4a3f-4ac7-9770-fd50d95f58dc.
The other way to do this is have an external service that stores whatever verification you need and then match that to something like the internetMessageId and a checksum.
Related
Good day!
I just want to ask about microsoft graph Api permission, there's too many options here but my goal is to have the full access ONLY to specific account and read the mail box such as Subject, Email Body, attachment and Sender Email, the system will read the mails from the back end from the specific account only. (like a basic auth)
I'm trying to make system to my org. I don't have the full control in azure portal, so I create API Permission request.
What option need to include in my api permission request?
enter image description here
I saw the "Mail.Read" Option
but I think the scope of this option is to access ALL other mail account without signing in. correct me if I'm wrong, but then what I really need is for single account only.
Thank you in advance
Access to Graph API is normally done one of two ways:
On behalf of user
As a application (no user)
The permissions required for the access type are different and are documented for each API endpiont under the Permissions sections. The on behalf of user access requires "delegated" type permissions and application access require application permissions.
If you use "on behalf of user access" (i.e. you have a user fronting the authentication or you know the username/password) and the correct permissions for the api endponts you are using then you only have access to the data that that user has access too (even if you have permissions like ".all").
If you use "application access" then normally you need higher permissions and you can normally read all user/org data. In some specific cases you can constrain application access. Email account access happens to be one. Follow the Limit Mailbox access instructions to limit a specific application id to a specific set of mailboxes.
There is a separate Mail.Read permission for both Application and Delegated permissions. Application permissions allows the app to read mail in all mailboxes without a signed-in user where as Delegated permissions allows the app to read email in user mailboxes , check the doc for more info - https://learn.microsoft.com/en-us/graph/permissions-reference
In your case you want to check your mail only , then you need to use Delegated permissions , which doesn't required admin conesent
Hope this helps
Thanks
-- goal is to have the full access ONLY to specific account and read the mail box
Can I understand your requirement as, you may want to have a user who is admin role and only this user can query mail information for all other users?
If so, you must have a sign in popup window to let users sign in, then your application can validate the user to check if the signed in user is in admin role to determine whether allowing this user to query mails.
But you also mentioned "to run in background the signing in process, no pop up window", so I'm afraid that you want to allow anyone using your application to query mail on behalf on this specific user. In this scenario, I'm afraid you can using client credential flow directly with the application permission.
No matter the research that I do, I can't find anywhere the information to get access to the Exchange information on the active directory.
I am using userprincipal and accountmanagement already to access the AD user's info. Is there a similar way for Exchange?
I just want to read the following:
ActiveSync enabled
Mailbox Size Quota
The proxies
These information are all available in the "user and computer Active Directory" that we have access to. I just need to figure out how to access them. Is there a class for that already?
regards,
ActiveSync enabled
Use the ProtocolSetting Attribute
Mailbox Size Quota
This would only be set if the user has a specific Mailbox Quota value set by default this would be null and the Mailbox Database setting would be used see http://blogs.technet.com/b/exchange/archive/2006/09/20/3394913.aspx. The Ad attributes for this are mDBStorageQuota,mDBOverQuotaLimit,mDBOverHardQuotaLimit,mDBUseDefaults
The Proxies
Use the proxyAddresses attribute https://msdn.microsoft.com/en-us/library/ms679424(v=vs.85).aspx
I need a little guidance on what I can do with an FTP site I am creating.
Essentially the FTP is to provide data that end users have requested. Workflow is as follow:
User selects what data they want -> User's info (contact, requested data/formats, custom user and password string) stored in SQL table -> Email sent to FTP manager with unique ID of end user -> FTP Manager runs script using unique ID as input, generating the requested data -> Data stored in directory on FTP server and email sent to end user with credentials for obtaining data.
So far, everything up to the credentials part of my workflow is working. The FTP uses no authentication as of right now (because I'm not sure what needs to be done to do so).
My question is, is it possible for me to create IIS users to access the FTP site using the user/password string I create when the end user makes the request, that way I can use some authorization on the FTP site? Am I even approaching this in the correct manner? I'm no IIS/DB guru but I know enough to break something.
What I think I should do:
Set the authentication to use IISManagerAuth, and with magic create the IIS users based off of the credentials I create from the end user request (This is what I am going to try and do while you smart folk point and laugh at my lack of understanding and blindness of the inevitable).
Any guidance appreciated!
I have made a VB.NET application. I have read I tutorials that how to use SMTP to send emails from VB.NET, and finally I got one working.
But I have an issue with it, I don't want to bother the user to input all his details like, SMTP server name and all those stuffs.
I just want that a user input their Usename and Password and all other necessary details gets available for the application. Same like thunderbird, as when I enter my Usename and Password in Mozilla thunderbird it automatically get all the other required data and configures my email account.
Now what I want to accomplish is that, a user should fill in their details i.e. Usename and Password & the email using their Usename and Password should be sent to the email specified in the program.
To explain more about the kind of my project is, when an error occurs I want the user to take a screenshot of it and email me it using this method. So that I can look into the bug.
There is no automatic way of doing this. Each email setup is different and there is no automated configuration specification.
Thunderbird has a built in database that it's developers built and maintain to offer this functionality. See: https://support.mozillamessaging.com/en-US/kb/isp-database
You could do the same using the #domain.tld to enable you to match the users email provider with your database.
Microsoft Exchange does offer an automatic configuration endpoint, but I don't think it would prove useful to you as it isn't guaranteed to include SMTP information.
I am developing a WCF service which can be consumed by mobile applications to authenticate users against the corporate extranet ActiveDirectory. I am using a customized version of this implementation from Microsoft. I need to implement the account lock out logic so that after n retries the account in the ActiveDirectory should get locked-out.
I tried with state-full WCF service to keep track of the failed log-ins. But the client can start over the next session and continue with the attack.
I know that the ActiveDirectory policy can be set to enforce this, but just querying the AD -like the Microsoft solution does to authenticate the user - does not lock out the user.
So, I am looking forward for a solution which will work like when log-in to Windows with incorrect password for n times the account will get locked-out as per the policy set in the AD.
I have not seen your code. So I'm guessing you have similar solution that is implemented in this example, have a look at this link
In above example, please have look at line
DirectoryEntry entry = new DirectoryEntry(_path, domainAndUsername, pwd);
this entry object would be used for authentication when you make a search call on active directory.
If you are using user/password that you want to authenticate then you need not to worry about locking it by your code. Active directory policy would be enough.
But after reading your comment I guess you have one specific user that you use to search mobile application users to check if they exist in your active directory or not. If this is the case effectively you are never authenticating against mobile users so those users never going to be blocked automatically.
I would be interested to know your answer.
There are basically two ways of doing this:
You continue the directory search method you are using, but track the number of logins for each user in a custom database, and check this database before doing the directory search.
Use the Windows login instead, and rely on AD to lockout the user. For a description of how to do this check: Active Directory (LDAP) - Check account locked out / Password expired
Edit
After seeing marc_s's comment, I am unsure if doing the directory search will lockout or not. It would actually be a serious security hole if you could try an infinate number of times. But you would need an account that is allowed to query AD before you could use it.
The code you linked to had this line
object obj = entry.NativeObject
Which was to force authentication. Have you included this line?