I have authenticated with Azure & OAuth to receive an access token. Now I want to read their Outlook emails through a Microsoft Graph endpoint from a native WPF desktop app using c#. However my request to get the emails, of the currently signed in user, fails with a 501 error. The delegated permissions my app has are:
View users' email address
Access user's data anytime
Sign users in
Read user mail
Sign in and read user profile
Here is my network trace.
Now I'm getting a 404 too
Based on the quest, were you authenticate the app with external user for the Azure AD?
If I understood correctly, the Microsoft Graph API only support for the users in the tenant.
Related
I want to develop a custom ASP.NET Web API which can be used to send out emails as a user using the Microsoft Graph API. I think this will be a Multi-tenant application. Below are few ideas I have and some questions:
I have a working ASP.NET MVC web application where different users can login using their unique credentials provided by us.
I have an "Email Setup" section in my web app. Every user will navigate to this section one-time and be redirected to the "https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={{client_id}}&response_type=code&redirect_uri={{redirect_uri}}&response_mode=query&scope=offline_access%20user.read%20mail.read&state=12345"
On the consent screen user will sign in using their Microsoft Office 365 credentials and provide consent to my app.
On providing consent, user will be redirected back to my web app and I will get Access token for the code returned and store the access token in a SQL database.
User navigates to a page to send email, fills in the To, Subject, Body, Attachments etc. and clicks on the "Send" button.
On send button, my ASP.NET web app will call our custom Web API to send the email. The API will have an endpoint that knows the user and will get appropriate access token from the SQL database to send email on that user's behalf.
Questions:
Do I need to register an Azure App with type "Multi-tenant" since I want to support users from different tenants?
What kind of scopes/permissions will be required in order to "Send Email" as the user?
Do I need Delegated/Application permissions on the Azure side?
How can I ensure that the email that is sent, also gets saved to that user's "Sent Items" folder on Outlook?
According to the sending email graph api, we can see it provides the Application api permission, that means you can create an azure ad application and assign the Mail.Send permission to this api and using client credential flow to generate access token to call this api, so it's not necessary to creating a multi-tenant azure ad application via this way.
And certainly, if you insist on auth code flow to generate access token to using delegate permission to call the api, you should creating a multi-tenant application so that users from different tenant can generate access token through this azure ad application.
I have application which uses EWS with basic authentication. As mentioned here. I'm trying to get away from basic authentication and use OAuth.
I want to know if it is mandatory to have full_access_as_app or I would be able to send emails if only Mail.Send permission is granted in azure?
Note : My application just wants to send email. Right now I'm getting 401 error and azure have only Mail.Send permission
Yes it is, EWS is a legacy API so doesn't support the more constrained permission that the Graph supports. If your app only sends email why not just migrate it to the Graph the Auth will be same and its really just one API call to send an email and you app will be a lot more secure.
I can login to Outlook 365 in my web with MS Graph without user action. I'm using simple-oauth2 module and oauth2.ownerPassword.getToken method to generate tokens with username/password from my database.
I'd like embed Outlook.com in my web for each user (with their credentials).
Is there any way to do this?
Why would you do that?
If your application already lets the user login with Azure Ad account, you could use the on-behalf-of flow. Then your web application can request a token for another resource by sending the access token of the user for the current application.
If they aren’t logged in to Azure ad already you could have a look at the client credentials flow. Then your application will just get a token with access to all mailboxes.
I'm trying to access the signed in user's Profile Photo in the context of an email app which uses EWS to connect to Office 365.
The app is registered on portal.azure.com with the following required permissions:
Office 365 Exchange Online -> Access mailboxes as the signed-in user via Exchange Web Services
Windows Azure Active Directory -> Sign in and read user profile
The EWS part works just fine, I'm able to sign the user in, get the access and refresh tokens, and perform EWS operations using "Authorization: Bearer access_token".
The part I'm having trouble with is getting the user's profile photo.
This is the docs I'm going by:
https://msdn.microsoft.com/en-us/office/office365/api/photo-rest-operations
The API endpoint I'm trying to use is:
GET https://outlook.office.com/api/v2.0/me/photo
... with "Authorization: Bearer access_token" header.
The above API returns this response:
HTTP 403
{"error":{"code":"ErrorAccessDenied","message":"Access is denied.
Check credentials and try again."}}
What could be wrong?
According to the above docs, getting user's photo should be possible using the user.read scope.
The "Sign in and read user profile" permission I mentioned above has a tooltip saying "User.Read", so I believe that's the right scope
I've tried decoding my access token at jwt.io, it has: "scp": "full_access_as_user" - where is my User.Read scope, or does "full access" include "user.read"?
Any ideas?
This is because that you tried use v2 endpoint Rest API but you didn't register the Application with v2 endpoint.
User Photo API is only available on Azure AD v2 authentication endpoint, Not Azure AD and Oauth:
You need to go to Microsoft Application Registration Portal to register your Application. For more details , you can refer to this document.
Just for the record:
Since we were not able to use OAUTH2 APIs for this -
since and our app uses EWS (Exchange Web Services) already...
We just ended up using the GetUserPhoto command with the user's (account's) own email address.
Works fine.
Is it possible to get all email from all mailboxes in MS Exchange?
I have full rights in Azure console for Office365 exchange online.
http://i.stack.imgur.com/DF5n5.png
But when I'm trying make an request to
https://outlook.office365.com/EWS/OData/Users('user#company.onmicrosoft.com')/Inbox/Messages
getting an error "The specified object was not found in the store."
But for logged in admin
https://outlook.office365.com/EWS/OData/Me/Inbox/Messages
https://outlook.office365.com/EWS/OData/Users('admin#company.onmicrosoft.com')/Inbox/Messages
works well.
What should I do, to get access for read mail for all my users in office 365?
The current authorization model for Office 365 Mail, Calendar and Contacts services does not currently expose a permission that would allow your app to query other users' mailboxes.
The REST API consent flow allows you to register a web app that requires Admin consent. Once your web app has been given the global admin consent, it should be able to access information for all users under that tenant.
See the following post for more information:
http://msdn.microsoft.com/EN-US/library/office/dn605895(v=office.15).aspx#ConNavExample_config