No matter the research that I do, I can't find anywhere the information to get access to the Exchange information on the active directory.
I am using userprincipal and accountmanagement already to access the AD user's info. Is there a similar way for Exchange?
I just want to read the following:
ActiveSync enabled
Mailbox Size Quota
The proxies
These information are all available in the "user and computer Active Directory" that we have access to. I just need to figure out how to access them. Is there a class for that already?
regards,
ActiveSync enabled
Use the ProtocolSetting Attribute
Mailbox Size Quota
This would only be set if the user has a specific Mailbox Quota value set by default this would be null and the Mailbox Database setting would be used see http://blogs.technet.com/b/exchange/archive/2006/09/20/3394913.aspx. The Ad attributes for this are mDBStorageQuota,mDBOverQuotaLimit,mDBOverHardQuotaLimit,mDBUseDefaults
The Proxies
Use the proxyAddresses attribute https://msdn.microsoft.com/en-us/library/ms679424(v=vs.85).aspx
Related
Good day!
I just want to ask about microsoft graph Api permission, there's too many options here but my goal is to have the full access ONLY to specific account and read the mail box such as Subject, Email Body, attachment and Sender Email, the system will read the mails from the back end from the specific account only. (like a basic auth)
I'm trying to make system to my org. I don't have the full control in azure portal, so I create API Permission request.
What option need to include in my api permission request?
enter image description here
I saw the "Mail.Read" Option
but I think the scope of this option is to access ALL other mail account without signing in. correct me if I'm wrong, but then what I really need is for single account only.
Thank you in advance
Access to Graph API is normally done one of two ways:
On behalf of user
As a application (no user)
The permissions required for the access type are different and are documented for each API endpiont under the Permissions sections. The on behalf of user access requires "delegated" type permissions and application access require application permissions.
If you use "on behalf of user access" (i.e. you have a user fronting the authentication or you know the username/password) and the correct permissions for the api endponts you are using then you only have access to the data that that user has access too (even if you have permissions like ".all").
If you use "application access" then normally you need higher permissions and you can normally read all user/org data. In some specific cases you can constrain application access. Email account access happens to be one. Follow the Limit Mailbox access instructions to limit a specific application id to a specific set of mailboxes.
There is a separate Mail.Read permission for both Application and Delegated permissions. Application permissions allows the app to read mail in all mailboxes without a signed-in user where as Delegated permissions allows the app to read email in user mailboxes , check the doc for more info - https://learn.microsoft.com/en-us/graph/permissions-reference
In your case you want to check your mail only , then you need to use Delegated permissions , which doesn't required admin conesent
Hope this helps
Thanks
-- goal is to have the full access ONLY to specific account and read the mail box
Can I understand your requirement as, you may want to have a user who is admin role and only this user can query mail information for all other users?
If so, you must have a sign in popup window to let users sign in, then your application can validate the user to check if the signed in user is in admin role to determine whether allowing this user to query mails.
But you also mentioned "to run in background the signing in process, no pop up window", so I'm afraid that you want to allow anyone using your application to query mail on behalf on this specific user. In this scenario, I'm afraid you can using client credential flow directly with the application permission.
I have a short question about MS Exchange Server. I want to sign messages by custom ExtendedProperty on client mailboxes but I want to know that is there possibility to block privileges to set/get/create ExtendedProperties for me by Exchange Server Admin if I have read privileges to read mailbox?
No you can't do that the owner of the Mailbox will always have rights to do what they want to any message in their own mailbox. IRM is probably more what you need to look at for a solution like that https://support.office.com/en-us/article/introduction-to-irm-for-email-messages-bb643d33-4a3f-4ac7-9770-fd50d95f58dc.
The other way to do this is have an external service that stores whatever verification you need and then match that to something like the internetMessageId and a checksum.
I visited a remote site the other day where I will be seeing people at in the future. While there I had a user choose "SITEX - CONSULT ROOM 1" Calendar, right click and go into to the Calendar properties --> Permission --> Add .. and add my name as an Owner.
Now returning to my own machine and Outlook it doesn't seem to come up, and I cannot seem to work out the name when searching for it.
Is there any way in VBA to search Exchange server for the Calendar(s) shared to me?
No, you can get a list of mailboxes to which you have delegate access (that information is stored in the AD and is accessible through the Extended MAPI or Redemption), but per-folder access rights are stored on the folder itself. There is no master list.
We are using OpenDS for SMTP account status notification to notify users when their password is nearing expiration. The SMTP account status notification handler works fine to notify the user and a list of Server admins when the password is soon to expire but we are not able to find a way to have the customer's name in the email.
The notification Handler has no issue pulling the customer's email address and also referencing the password policy to correctly identify the pending password expiriation, so why not also identify the customer by name in the email? All this information is available so how would a variable be set to pull and use this customer information?
The notification handlers are quite powerful but definitely under-documented.
It's possible to identify the user by mail in the email. I've looked at the code of OpenDJ (the actively developed branch of OpenDS, http://opendj.forgerock.org), and you can reference any attribute from the user entry within the template.
More specifically for the mail attribute of the user, you should use this property in the template (templates are under config/message/ directory) :
%%notification-user-attr:mail%%
I haven't tested, but it should work.
I hope this helps.
Ludovic Poitou
PS: I've been told by our technical writer, that all tokens that can be used in the template messages is actually documented as part of OpenDJ administration guide : http://opendj.forgerock.org/doc/admin-guide/index.html#account-status-notification
I am developing a WCF service which can be consumed by mobile applications to authenticate users against the corporate extranet ActiveDirectory. I am using a customized version of this implementation from Microsoft. I need to implement the account lock out logic so that after n retries the account in the ActiveDirectory should get locked-out.
I tried with state-full WCF service to keep track of the failed log-ins. But the client can start over the next session and continue with the attack.
I know that the ActiveDirectory policy can be set to enforce this, but just querying the AD -like the Microsoft solution does to authenticate the user - does not lock out the user.
So, I am looking forward for a solution which will work like when log-in to Windows with incorrect password for n times the account will get locked-out as per the policy set in the AD.
I have not seen your code. So I'm guessing you have similar solution that is implemented in this example, have a look at this link
In above example, please have look at line
DirectoryEntry entry = new DirectoryEntry(_path, domainAndUsername, pwd);
this entry object would be used for authentication when you make a search call on active directory.
If you are using user/password that you want to authenticate then you need not to worry about locking it by your code. Active directory policy would be enough.
But after reading your comment I guess you have one specific user that you use to search mobile application users to check if they exist in your active directory or not. If this is the case effectively you are never authenticating against mobile users so those users never going to be blocked automatically.
I would be interested to know your answer.
There are basically two ways of doing this:
You continue the directory search method you are using, but track the number of logins for each user in a custom database, and check this database before doing the directory search.
Use the Windows login instead, and rely on AD to lockout the user. For a description of how to do this check: Active Directory (LDAP) - Check account locked out / Password expired
Edit
After seeing marc_s's comment, I am unsure if doing the directory search will lockout or not. It would actually be a serious security hole if you could try an infinate number of times. But you would need an account that is allowed to query AD before you could use it.
The code you linked to had this line
object obj = entry.NativeObject
Which was to force authentication. Have you included this line?