4

I want to configure my Symfony4 application to read and send e-mails using the msgraph-sdk-php library.

My app would be reading and sending e-mail from a single account, whose password I don't want to expose to my app's users. Thus, I wouldn't be using OAuth for login.

My first experience was this piece of code (to retrieve mailbox user profile):

<?php

namespace App\Graph;

use Microsoft\Graph\Exception\GraphException;
use Microsoft\Graph\Graph;
use Microsoft\Graph\Model\User;

class GraphService
{
    function sentTestMessage() {
        $userId = "************************************";
        $tenantId = "************************************";
        $clientId = "************************************";
        $clientSecret = "***************************";


        $guzzle = new \GuzzleHttp\Client();
        $url = 'https://login.microsoftonline.com/' . $tenantId . '/oauth2/token?api-version=1.0';
        $token = json_decode($guzzle->post($url, [
            'form_params' => [
                'client_id' => $clientId,
                'client_secret' => $clientSecret,
                'resource' => 'https://graph.microsoft.com/',
                'grant_type' => 'client_credentials',
            ],
        ])->getBody()->getContents());
        $accessToken = $token->access_token;


        $graph = new Graph();
        $graph->setAccessToken($accessToken);

        $user=new \stdClass();
        try {
            $user = $graph->createRequest("GET", "/users/".$userId)
                ->setReturnType(User::class)
                ->execute();
        } catch (GraphException $e) {
            $user->getGivenName=$e->getMessage();
        }

        return "Hello, I am $user->getGivenName() ";

    }
}

But then Symfony shows me an exception page with this message:

Client error: GET https://graph.microsoft.com/v1.0/users/... resulted in a 403 Forbidden response:

{

"error": {

"code": "Authorization_RequestDenied",

"message": "Insufficient privileges to complete the ope (truncated...)

Now the same query works when run in https://developer.microsoft.com/en-us/graph/graph-explorer with the same user logged in.

These are the permissions I gave the app:

enter image description here

What should I do to overcome the problem above described?

Community
  • 1
  • 1
VBobCat
  • 2,527
  • 4
  • 29
  • 56

1 Answers1

1

You used client credentials flow to get access token in your code, so you need application permission instead of delegated permission.

enter image description here

Tony Ju
  • 14,891
  • 3
  • 17
  • 31
  • Thanks... Tomorrow I'll try to discover who's administrator in my organization, for I wasn't allowed to set those permissions myself. – VBobCat Jul 01 '19 at 01:06
  • @VBobCat My pleasure. Just let me know if you have any concerns regarding this. – Tony Ju Jul 01 '19 at 09:59
  • I am concerned my admin won't consent because the mail permissions (which are critial to me) state "Read mail **in all mailboxes**", "Read and write mail **in all mailboxes**" and "Send mail **as any user**". I don't want this either, I only need my app to work with a single email account among the hundreds my organization has. – VBobCat Jul 01 '19 at 14:26
  • is there some way I could login and authorize those delegated permissions and from that moment on just send ids and secrets from my app server? – VBobCat Jul 01 '19 at 15:57
  • 1
    @VBobCat Yes, you can use code grant flow to get the access token. You can refer to this answer(https://stackoverflow.com/questions/33509761/connect-to-azure-active-directory-from-php-web-application/33512913#33512913). Here is also a official document(https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code) – Tony Ju Jul 02 '19 at 01:24