2

I have built a web-based MVC application in .Net 6.0 that has been in use for years within my company (upgraded recently to 6.0, of course). One of the functions of the app has allowed internal users to send emails and this was working through the Office 365 SMTP until recently. Our parent company introduced MFA and since then, the email function is broken and alternative methods I have implemented are only half working. Based on my research, Microsoft Graph seems to be a good way to replace this email functionality, however I'm lost on how to implement it with my current app.

The application is hosted on our own server with IIS and uses Windows Authentication. What I have not been able to find is a step-by-step guide on how to implement Microsoft Graph API with this setup. I'm completely self-taught and maintain this app on the side, rather than as my main job. All of the examples I've found aren't particularly helpful on the "here's how".

What I do know is that I need to have the app registered in Azure AD. I've spoken with our admin, and that won't be a problem once I know what I need to do. With .NET Core (.NET 6.0), MVC, Windows Authentication, hosted on an internal server with IIS:

  1. Is it possible to implement the Microsoft Graph API? (I believe the answer is yes)
  2. Is there a good step-by-step guide on exactly what I would need to do?

The closest thing I've found is this: https://learn.microsoft.com/en-us/samples/azure-samples/active-directory-dotnet-iwa-v2/active-directory-dotnet-iwa-v2/

Unfortunately, I'm mostly just staring at the code, not able to figure out how I can make use of most of it. I'd appreciate any guidance or recommendations.

matthew_b
  • 739
  • 1
  • 7
  • 18

1 Answers1

1

Let's tidy up the ideas first.

You have realized windows authentication, that means you can know who is signed in now, or in other words, your sending-email funtion knows who is the sender. Then you also need a page to let users set receive and CC list, subject and email content.

Then you want to use graph api to send email. This required you to have an azure ad application which has Mail.Send permission which permission type is Application(I think using this kind of permission is a good choice in your scenario). By the way, you also need to make sure email senders has their corresponding accounts in azure ad. Because graph api need to know who is the sender, and sender is required to be a member in the tenant which the azure ad application is registered(users outside the tenant can't use the resource in the tenant, right?). For example, users' account information are stored in your local database, and your app linked to your localbase, so your app knows who is the user, but when you try to use graph api/azure ad, you also make sure azure ad know who is the user, so azure ad can authenticate and graph api can know who is the user than allow the user call api.

Normally, in our application, we try to integrate azure ad so that users in azure ad can use their azure ad accounts to sign in, then use the authentication by azure ad, they can call graph api to do some actions. In you scenario, you didn't integrate azure ad authentication, so that using client credential flow to authenticate your app to call graph api is better, so I said give "Application" permission is better. You may refer to this answer and try the sample code in it.

In the code sample, it requires you to set user id as one of the input parameter. If the user passed windows authentication, I trust you can get the user id, but you need to make sure the user id is the same in azure ad. If not, you may also need to set up a matching relationship.

Tiny Wang
  • 10,423
  • 1
  • 11
  • 29
  • 1
    Thanks! This helps clear things up. I've reached out to our admin to register the app in Azure AD so I can try this. I will let you know once I have. In this case, all users have accounts in our Azure AD, so that shouldn't be a problem. Also, all users will send emails only from themselves. – matthew_b Mar 25 '22 at 13:24
  • Follow-up after some testing. The solution you linked to has MOSTLY worked for me, but I think there's still something wrong on the AD setup. Sending an email causes the error "The token contains no permissions, or permissions can not be understood." I've asked our admin to ensure Mail.Send permissions have been given and he says they are, but he's not familiar with this setup either and I suspect something is missing. Any advice on how to proceed? Thanks! – matthew_b Apr 05 '22 at 15:34
  • 1
    In my humble opinion, `The token contains no permissions, or permissions can not be understood` means `Mail.Send "Application" permissions have been given` or `your token is wrong`, I think you may try to decrypt the token you used to call graph api first, `jwt.io` to decode the token and check if it has claim `roles: Mail.Send` – Tiny Wang Apr 06 '22 at 04:58
  • Thanks so much for your continued help. Very much appreciated! I've seen the jwt site before, but for the life of me, I can't find any information on where I can get the token to copy into that page. Where do I get it? – matthew_b Apr 07 '22 at 15:43
  • maybe you may refer to [this answer](https://stackoverflow.com/a/67816030/15581227) to get the token. But I think you need to create a new question so that other contributors can see it and help you. You may also provide the latest code and ideas in a new question. – Tiny Wang Apr 08 '22 at 05:05