Mail.ReadBasic equivalent Application scope - azure

I'm trying to access email metadata via Microsoft Graph without access to the content of the emails. From the documentation, I've noticed there is a Mail.ReadBasic permission that might help but this permission only appears as a Delegated scope. My service is a backend task so I need an Application scope.
I would really appreciate some help with these issues:
Is there a way to enable this Mail.ReadBasic permission as an Application permission?
Can I create custom permission for the application?
Can I use Mail.Read and enforce selection of fields to reduce it into Mail.ReadBasic Permission (otherwise requests will be blocked)
Is there any other way to get only the email metadata from the Microsoft Graph (webhooks, access via audit logs, etc)?

1) I am actually the Program Manager in the process of getting this rolled out into Microsoft Graph right now. We are currently deploying this internally to our pre prod env. It is in the deployment process and should be there in all tenants within the next two months.
2 & 3) You cannot create your own custom permissions or reduce fields with Mail.Read.
4) Mail.ReadBasic will get you the email metadata (not body or attachments) with on behalf of flows right now. And soon app-only.

Related

Azure data factory pipeline showing RequestingConsent forever

I am unable to fix the "Requesting Consent" status for an azure Data Factory Pipeline querying some Office365 (Graph) simple data (i.e. smtp addresses and UPN of my colleagues).
Can you suggest me something to check ?
I am adding 2 pictures showing where "Graph Data Connect" is easily enabled, and the always empty PAM (Privileged Access Management) portal.
New image: Graph Data Connect configurator
New image: Empty PAM portal
As per the error we could see its a permission issue where you need to be Granted Permission before querying in Graph to pass simple data (i.e. smtp addresses and UPN of my colleagues).
Here, are the steps how you can add permissions:
You have to create a API permissions service, you have to Grant Permission for reporting API, must allow your app the appropriate
permissions based on the API you wish to access.
Next you could navigate to API Permission in the left column under the Manage.
Then you can click on +Add Permission as shown in bubbles in the Snip.
Please grant the permissions Directory.ReadWrite.All and Users.ReadWrite.All.
At last I found what was missing: it was a licensing requirement, but nothing warned me about this in PAM page. Simply nothing was listed in it.
If you like, here are the requirements nowadays.
Have a nice day to everyone !
Julian

MS Graph API administration

How can I view all subscriptions regardless of the 'app registration' that created it?
On our AAD, we have 2 'App Registration', lets call them regAppA & regAppB. We ran into an issue where we used both apps to create subscription for outlook events. This resulted in multiple events firing for a single change which caused issues down the line when handling them.
The problem is if you call :
GET https://graphUrl/subscriptions (with regAppA secret) you will only get the subscriptions created using that App Registration, and likewise with regAppB's secret
To avoid this situation happening again, I would like to run an automated script/program/whatever, that would get all subscriptions created regardless of the App Registration used to create it and flag issues found in the data.
I could do that using https://developer.microsoft.com/en-us/graph/graph-explorer, but I don't know how-to or if you can use delegated authentication programatically. I need this solution to run with no user intervention.
Any help will be much appreciated.

Azure Applications; How to create a separate authorization page for out of network users

I've been tasked with figuring out a way to make a certain set of Azure users authenticate to a Web Application by accepting/denying a warning message that should be presented before the users are directed to the application itself. The users that should not go through this process are in-network users.. they should be able to input the URL and be presented with a sign-in page and from there they will have access into the application. This has already been configured via Azure AD but the previous issue for out of network users is what i'm having issues with.
My current thoughts on this is to create an a simple authorization page created by an azure function that out of network users will be directed to because the IP addresses will be placed in a conditional access rule to do so. From the simple page the user will be directed to the application or logged out if they choose cancel.
This is just a thought but definitely open to suggestions. Thoughts?
For those who may have been interested in an answer for this question I have figured it out. In order to do this I had to create a "Terms Of Use" within Azure Active Directory. This Terms of use consisted of a pdf file containing the information my user needed to view before accept/deny could be clicked. On the "Terms Of Use" was created I then created a custom conditional access policy which included users needing to accept the "Terms Of Use" before being able to access our Portal or Applications. Hope this helps

Can't use application permissions (roles) to access Microsoft Graph API group calendar

My goal is to list the calendar events of an Office 365 group using the Microsoft Graph API.
The endpoint used is https://graph.microsoft.com/v1.0/groups/{id}/events based on the documentation. Using the Graph Explorer, I'm able to get the information with my delegated permissions. The problem is when I make the same call using application permissions. I'm positive JWT token contains the required roles to make the call (Group.Read.All, Group.ReadWrite.All) but I'm getting the following error:
Access is denied. Check credentials and try again
Curiously enough, I'm able to get the group /v1.0/groups/{id} but whatever is related to it's calendar and events isn't accessible.
Using application permissions to look at group resources/contents is not currently supported. Please see known issues here: https://developer.microsoft.com/en-us/graph/docs/concepts/known_issues#groups-and-microsoft-teams.
If this is required for your scenarios, please vote for
https://officespdev.uservoice.com/forums/224641-feature-requests-and-feedback/suggestions/18747862-app-authentication-to-retrieve-conversation-messag or
https://officespdev.uservoice.com/forums/224641-feature-requests-and-feedback/suggestions/16851937-allow-application-only-consent-to-read-conversation
Both of which are about app-only access to group conversations (similar to group events).
Otherwise please create a new user voice request.

programmatically access sharepoint lists using impersonation

I building a console app that runs under a normal user account to access sharepoint lists programmatically. In order to access Sharepoint objects the console application impersonates the user under the context of which the Sharepoint is running. The impersonation is successful but when I try to access any share point SPWeb objects the following error is given as follows
spWeb.ID = 'spWeb.ID' threw an exception of type 'System.Data.SqlClient.SqlException'
base {System.Data.Common.DbException} = {"Cannot open database \"WSS_Content_92\" requested by the login. The login failed.\r\nLogin failed for user 'DOM\USER'."}
Doesnt the imepersonation should have allowed to access to the underlying database and also do i need to explicitly grant access to the current user to give access to sharepoint lists etc.
Thanks in advance
In a console or windows app when accessing the object model - when you are impersonating the user then the database connection will be made under the users account credentials - so in effect you will have to give each of your users fairly high level permissions to access the database (or better make them a member of a group that has these permissions).
http://technet.microsoft.com/en-us/library/cc721638(office.12).aspx
This is different to the web app where the account used is the AppDomain account of the IIS site.
However - this is a very non-standard setup and is fraught with security risks - do you really want to give your users permission to access that database directly?
Instead can I suggest that you look again at your design - what are you trying to achieve?
Running the console application in the context of the same user as the application pool did the trick. So the solution would be to use the runas command.

Resources