5

I'm trying to download emails through Office365 app in MVC web app. And I'm struggling with configuring app permissions on Azure Active directory. Permission says: "Read mail in All mailboxes" however I want to choose which mailboxes it can access/read.

Does anyone know ho to be more specific in setting up permissions in AAD? Thanks for any help.

string authority = "https://login.microsoftonline.com/" + SettingsHelper.TenantId + "/oauth2/token";

var credential = new ClientCredential(SettingsHelper.ClientId, SettingsHelper.ClientSecret);
AuthenticationContext authContext = new AuthenticationContext(authority);
var authResult = await authContext.AcquireTokenAsync("https://graph.microsoft.com", credential);
var graphserviceClient = new GraphServiceClient(
    new DelegateAuthenticationProvider(
           (requestMessage) =>
           {
               requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", authResult.AccessToken);

               return Task.FromResult(0);
           }));

//This is Ok. I want to read this.
var allowedEmails = await graphserviceClient.Users["xxx@mydom.com"].Messages.Request().GetAsync();

//This is forbidden. I want to restrict this on AAD level.
var dissabledEmails = await graphserviceClient.Users["yyy@mydom.com"].Messages.Request().GetAsync();

enter image description here

enter image description here

Mastenka
  • 315
  • 3
  • 19

1 Answers1

0

The app which used the Client Credential flow to authenticate doesn't support the restrict the app to read the specific emails.

But would you mind share the scenario you are working? The Client Credential flow is used for the confident app which means the app is working in a safe environment. There is no malicious user could get the token to access the information you don't want to publish. So you can just limit the resource in your own app. Hope it is helpful.

Fei Xue
  • 14,369
  • 1
  • 19
  • 27
  • 1
    Hi Fei, thx again for your help! My Use Case is that I need to download emails from specific mailbox (I need to receive emails and store them in MVC app, it has to be emails I cant use API [That would be best way to do it...]). But for security reasons I cant create open tunnel to all mailboxes in AD and restrict access just by email address for ClientCredential. Because it's too much vulnerable. It would give me as a developer access to all emails from company email addresses I know. – Mastenka Jul 18 '16 at 07:52
  • Or if ClientCredential workflow would require step of inserting password for a mailbox, that would be sufficient protection. Because I couldn't read other mailboxes, only the ones that I have password to. – Mastenka Jul 18 '16 at 08:42
  • There are several ways to avoid the developers to get all messages. First, you can separate the development environment with product tenant. Second, you can also replace the app-token with delegate token for test purpose. The third one is that you can build a test data server yourself. – Fei Xue Jul 18 '16 at 08:47
  • You're right. You cant do it this way. Even though I think it's security problem, to no to have possibility to create permissions specific enough, i think that MS will alter this functionality in a next releases :). Thanks again Fei – Mastenka Jul 25 '16 at 14:11
  • 1
    @FeiXue-MSFT It's very common that an application needs to be able to download emails from just one specific email box (but needs to run with application-credentials because the signed in user does not have the correct permissions). Having a separate development environment isn't a solution. At the end of the day, developers need to test/debug in both dev and prod environments. We absolutely need the ability to restrict which mailboxes an application can access. – MgSam Sep 18 '19 at 13:53