As we are already on the verge of throwing away basic auth and EWS (Exchange Web Services). There are tons of applications that retrieve attachments and messages using basic auth or Exchange Web Services. So they need to start using Oauth with Microsoft Graph to retrieve messages and attachments so that legacy dependencies can be safely removed to secure the environment further. In this article, I have explained how an application can access a specific service account only to retrieve its attachments and messages and not the whole environment. if the application needs to read mailboxes across the environment then you need to use New-ApplicationAccessPolicy to scope the permission to a particular set of users where I covered it in the end . What we are looking here is at a basic application that needs to retrieve its attachments from its own mailbox only and not from the whole environment.
Service Account to retrieve messages and attachments from a specific office 365 mailbox using an API (Microsoft Graph) would be a safe way to say.
- Creating an Azure AD application
- Create a test account with a mailbox add some attachments
- Use Post Man to retrieve the same using Microsoft Graph
let’s see how to do it. Login to https://aad.portal.azure.com/
Azure Active Directory – App Registrations – New Registration
readattachments app – register the application
Click on API permissions – Add a Permission
Choose Microsoft Graph
Choose Delegated Permissions – Mail.Read (Allows the app to read the signed-in user’s mailbox.)
Grant Admin Consent – You can see the green mark “Granted for Azure365pro”
Certificates & Secrets – Client Secrets – New Client Secret
Copy your own Secret L-8oAAlOEHe2kpgV~HKh9_124~cCwaqX7u
Click on endpoints
Auth URL = OAuth 2.0 authorization endpoint (v2) = https://login.microsoftonline.com/2549c50e-e478-0000-82cf-fa4efb5d000/oauth2/v2.0/authorize
Access Token URL = OAuth 2.0 token endpoint (v2) = https://login.microsoftonline.com/2549c50e-e478-0000-82cf-fa4efb5d0000/oauth2/v2.0/token
Copy Both URLs
Application (Client) ID
Created a Service mailbox that will receive the attachments
Assign the service account to access the application
Post man is your best friend when it comes to testing Oauth
New – Request
create a request name read attachments
Request Token – Once you filled all the below information
Now you have your Token Name = Friendly Name Grant Type = Authorization Code Callback URL = https://localhost Auth URL = OAuth 2.0 authorization endpoint (v2) - Use it from your tenant - https://login.microsoftonline.com/2549c50e-e478-0000-82cf-fa4efb5d1426/oauth2/v2.0/authorize Access Token URL = OAuth 2.0 token endpoint (v2) - Use it from your tenant - https://login.microsoftonline.com/2549c50e-e478-0000-82cf-fa4efb5d1426/oauth2/v2.0/token Client ID = (Get it from the Overview Tab like below) - Use it from your tenant - 61745b89-1b77-481d-a8d3-f0b6dc09de68 Client Secret = (Get it from Certificates and Secrets Tab like above) - Use it from your tenant - L-8oAAlOEHe2kpgV~HKh9_124~cCwaqX7u Scope = https://graph.microsoft.com/.default State = State Client Authentication = Send Client Credentials in body
Get new access token – used my service account credential to enter – received the token
Choose use token
Trying to retrieve messages using the received token
Trying to access the account which is not assigned on my enterprise application. where I can access messages of my service account only. Even after assigning the other account, I get the same error as expected. as the graph permission says allow read-only for signed in account only. As whichever account is used to receive the token it can retrieve messages from that account only.
Let’s see how to retrieve the attachment using Microsoft Graph
Get the ID of the message to retrieve the attachment
Now you can see the attachment is retrieved using Microsoft graph.
Let’s consider you are developing a .NET console application and you want the application to retrieve the data without a signed-in user.
Then you need to Add Application permission for the application. So that they can retrieve without a signin prompt from the application. Now this application can read all the user mails from the environment. let’s see how to restrict them
Mail.Read – Read mail in all mailboxes
Create a Mail-Enabled Security group so that you can provide access only to the members of this group
New-ApplicationAccessPolicy -AppId 50f4b7ac-a83a-4f18-8b5a-81273f55a40d -PolicyScopeGroupId read.mail@localhost -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group EvenUsers."
Client Credentials works if a user is a member of the mail security group we created. if user is not member we can Access denied.
Error Access Denied “Access to OData is disabled” if user not a member of mail security group