I am trying out Office 365 Rest APIs.
I have registered application with Azure AD.
It has following permission set: Exchange: Access All User's Mailbox, Full Control on User's Calendar, Full Control on User's Contacts, Full Control on User's Mailbox
I have generated access token with admin grant which has global admin privileges.
Sent following request 'https://outlook.office365.com/api/users/me/messages' which resulted in correct results giving me all messages in current admin's mailbox
Sent following request 'https://outlook.office365.com/api/users/{another user's email}/messages'. This resulted in following error
"u'error': {u'message': u'Access is denied. Check credentials and try again.', u'code': u'ErrorAccessDenied'}}"
Please let me know if above steps are wrong ?
If they are wrong, is there a way to fetch emails from another user's mailbox as I have admin credentials ?
Thanks.
You need to use a service account as described in this blog, for your scenario and the app will be able to make calls to interact with any mailboxes in that tenant. The reason your request to use another user's mailbox is failing is because the request will be approved only if the app and user have permissions to access the other user's mailbox. In your case, the admin has permissions to the other user's mailbox. But the app, assuming you used OAuth code flow, to get the OAuth token, only has permissions to the authenticated user's mailbox.
Also, you don't need "Access All User's Mailbox" permissions for REST APIs, as they are meant for using Exchange Web Services (EWS) SOAP APIs.
If someone is looking for the solution, it was a problem of service principal.
We were pointing to the wrong Service Principal and that was the cause of the issues with permissions.
Related
We have a problem consenting permissions and obtaining access tokens to call MSGraph API. Our product is like follows:
We have an API that works with MSGraph. Until now, we have been using Aplication permissions to access resources as mail and calendar.
We would like to start using Task To-Do API and it only supports Delegated permissions.
Our API works with multiple tenant and multiple users in each tenant.
We use admin consent to give all necesary permissions and generate a token aftewards to make requests to MSGraph (Aplication permissions endpoints). With these new changes, is there a way to generate a token valid for To-Do API directly from an administrator, or is mandatory that each user signs in to create a personal auth token valid for this API? We would like to avoid the proccess of user sign in as our API is meant to work behind another application we do not develop after administrator has given consent.
Thank you in advance
In your case, you are using client credentials flow and with that you can not have signed in user or delegated permissions as MS Graph Todo APIs only support delegated permissions.
For you to use the To-Do Graph APIs, you have to can incorporate user signin. If this not possible in your scenario, then you can upvote this feature request - Allow Graph API calls to work with both todo tasks and plannerTasks using application permissions
I am wondering if there is anyway to check if the entered username and password is correct despite of enforcing multi factor authentication in Azure Active Directory?
I have set up an app with application permission(with admin consent) as well as delegated permission and is able to test both approach using ConfidentialClient and PublicClient using MSAL library.
I am not able to run my web form app in IIS with the PublicClient approach which is interactive and displays you a popup for the Microsoft login. So, the only approach I see here is to use app-only authentication.(https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth )
I can use the confidential client(app only) since I have all the required admin consents granted to get the OAuth token and then impersonate the user to access to EWS managed api.
But the requirement is the user should enter their outlook password in the webform app before loading their emails(from EWS Managed API which needs OAuth token).
At this point I am not sure what to do next. Please help. Also let me know if you need more information.
For more reference why I am no able to use delegated authentication: Why app is throwing error in test environment but working fine in local machine using ASP.NET Web Forms and MSAL?
Per my understanding, you want to check the username and password by Azure AD first and using the confidential client to call APIs on behalf of the user.
This way is something hacking, but I think it works for this scenario. Just try the request below:
POST https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/token
Request Body:
client_id=<confidential client app id>
&Client_secret=<confidential client app sec>
&grant_type=password
&scope=https://graph.microsoft.com/user.read
&username=<username>
&password=<password>
If the user typed the wrong user name and password, the response would be:
If username and password are all right, the response report the MFA related info:
I want to aggregate my clients' ad account into my business account automatically.
The client is already logged in via oauth2 process in my website and grant the permissions, ["ads_read", "ads_management", "manage_pages"].
I'm succeeded to request access for the client using the endpoint POST /<business_id>/client_ad_accounts.
Request image in the client Ad account setting page:
And, There is a problem.
I want to accept this request programmatically using the client's ACCESS_TOKEN.
POST /act_<client_ad_account_id>/agencies
-d "business=<my_business_id>&access_token=<client_access_token>"
But, I have a error message (#10) Ad account <client_ad_account_id> must be managed by a business account to approve agency access.
Is it possible to accept this request programmatically? If that's possible, what should I do?
self answer: Connect client page to the client's business account and add permission business_management. Then, everything works fine.
Microsoft Graph uses application permissions for background services. For Outlook APIs, application permission Mail.ReadWrite grants access to all mailboxes.
Is there a way to restrict access to a particular mailbox?
https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference
No you should use delegate access in that instance and the Mail.ReadWrite.Shared grant which will give access the Mailbox of the Owner and any of the Mailboxes Shared with that users (eg they have been delegated access to).
I agree what your talking about would be a nice feature being able to opt out of Application permissions for certain mailboxes/users etc is a requirement that comes up but the ability to do so doesn't exist. One way to mitigate that is with logic on the server side eg force the application to check a group before accessing Mailboxes etc and make sure auditing is switch on so you can catch any malicious use of the tokens and credentials.
Graph authentication through Client Credentials flow - Will my app have access to just my user account or to the whole organization?
https://github.com/microsoftgraph/microsoft-graph-docs/blob/master/concepts/auth_v2_user.md
This is now possible according to Microsoft Docs.
Some apps call Microsoft Graph using their own identity and not on
behalf of a user. These are usually background services or daemon apps
that run on a server without the presence of a signed-in user. These
apps make use of OAuth 2.0 client credentials grant flow to
authenticate and are configured with application permissions, which
enable such apps to access all mailboxes in a organization on Exchange
Online. For example, the Mail.Read application permission allows apps
to read mail in all mailboxes without a signed-in user.
Administrators who want to limit the app access to a specific set of
mailboxes can use the New-ApplicationAccessPolicy PowerShell cmdlet to
configure access control.
I am developing a web application for Office 365 for business. I authorize it with my admin account. So I have access token for calling REST APIs on behalf of admin user.
Is there a way to call APIs on behalf of another user inside my organization?
Or is there any other way to get the list of another user's files in OneDrive?
You need to get the app only token to access data belonging to other users.
Please follow the steps here to register the app and then follow these to get the required token