0

Background: We have a linux based robotic application (in LISP language) to read application support mailbox and respond appropriately to customer emails. Currently the mail reading is done using the IMAP access protocol. As per new security policy we need to use Microsoft Graph APIs to access/read our application mail-box.

We need to use "resource owner password credential" approach as we do not have any web.

We could not use "Delegated permissions" as our application can not be the signed in user.

We wanted to use "Application permissions" like "Mail.ReadWrite" & "Mail.Send". But these application permissions would give access to all the mail-boxes in the organization.

So my question is, can my administrator provide "Admin Consent" such that my application can access one mail-box alone?

Pavan Kumar Puvvala
  • 1

2 Answers2

0

Hi @pavan you need to get the admin to approve the application permissions and then get them to set an application Access policy so it can only access a specific mailbox

From https://domainaware.github.io/parsedmarc/ :

Use the New-ApplicationAccessPolicy command in the Exchange PowerShell module. If you need to scope the policy to shared mailboxes, you can add them to a mail enabled security group and use that as the group id.

New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId <CLIENT_ID>" -PolicyScopeGroupId "<MAILBOX>" -Description "Restrict access to specific mailbox."

EnviableOne
  • 1
  • 1
0

If you can log in to Azure,etc. as the user that your script uses, you can create your own personal access token -

https://docs.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/pats?view=azure-devops

And then you can use the me reference in your API calls -

https://graph.microsoft.com/v1.0/me/mailFolders/Inbox/messages

ivanivan
  • 1,448
  • 6
  • 6
  • I have created a token with "Full access", but I am always getting "CompactToken parsing failed with error code: 80049217". I tried from my scripts as well as from C# code given in the doc. – Pavan Kumar Puvvala Jul 29 '19 at 11:22
  • @PavanKumarPuvvala - try using the Graph Explorer or PostMan, once you have a working API call integrate that into your code. Or, post your code (or at least a minimal but complete example) on stackoverflow.com (since you are now out of scope for serverfault) – ivanivan Jul 29 '19 at 12:01
  • I made little progress with my Delegated permissions. But struck with another problem. I posted my question in stackoverflow https://stackoverflow.com/questions/57268677/graph-mail-api-works-in-beta-version-but-not-in-v1-0 – Pavan Kumar Puvvala Jul 30 '19 at 09:43