0

I need to create an application that sends emails by MS Graph but also I need somehow restrict it for few mailboxes who will sending email (e.x. avoid send mail as ceo). Before I used just Sytem.Net.Mail and because basic authentication is now deprecation I must find new way to sending mails.

So I registered new application AAD, I added API permission for MS Graph Mail.Send (application type). Now I want to add restricting for that Graph API (I want to limit who can send a message from this API. I found that I must use New-ApplicationAccessPolicy cmdlet, but before that I created Mail-enabled security group. Then via PowerSell I addes new policy:

New-ApplicationAccessPolicy -AppId "9e48a326-a952-42ca-882f-ff1eec699ba7" -PolicyScopeGroupId "SMTPOAuth2SecurityGroup@consto.onmicrosoft.com" -AccessRight RestrictAccess -Description "SMTP OAuth2 Connector"

Then I added two accounts AlexW and DiegoS - both are from Microsoft 365 Developer Program, so both were not modify by me in any way:

Test-ApplicationAccessPolicy -Identity "AlexW@consto.onmicrosoft.com" -AppId "9e48a326-a952-42ca-882f-ff1eec699ba7" AppId : 9e48a326-a952-42ca-882f-ff1eec699ba7 Mailbox : AlexW AccessCheckResult : Granted

Test-ApplicationAccessPolicy -Identity "DiegoS@consto.onmicrosoft.com" -AppId "9e48a326-a952-42ca-882f-ff1eec699ba7" AppId : 9e48a326-a952-42ca-882f-ff1eec699ba7 Mailbox : DiegoS AccessCheckResult : Granted

But now I test my application. AlexW can send mail but for DiegoS (or random person) I got erorr:

DiegoS@consto.onmicrosoft.com:Code: ErrorAccessDenied Message: Access to OData is disabled. ClientRequestId: 909c72f7-02b7-4697-afd5-3d65a58d47a5

I try to remove and again add, wait some time and still the same problem. So, I need to create an application that sends emails by MS Graph but aslo I need somehow restrict

Tiny Wang
  • 10,423
  • 1
  • 11
  • 29
Karol Kozłowski
  • 3
  • 1
  • 2
  • If I misunderstood your requirement, pls kindly let me know and I'll delete my post, thanks in advance. – Tiny Wang Sep 23 '22 at 02:31

1 Answers1

0

According to your description, I captured these key words: use graph api to send email, allow specific user to send email, api permisssion with application type. Then let's see the necessary parameter to send an email: sender, content, receiver.

Per my understanding, since you used application type permission, then you want to use client credential flow to generate access token and calling graph api to send the email, so you have to create an azure ad application(done), then you need to specify the sender(set restriction so that only AlexW and DiegoS can do it). Receivers and content are based on the requirement so we don't need to take them into consideration.

Here's a code snippet to send email via ms graph api. The only point we need to consider is how to set the sender user principle now.

Then here're 2 scenarios. If you need to ask users to sign in first then they can send email? Or what you created is just an API so that you only need to receive a parameter(e.g. parameter is the user principle used to send email) then use it to send email?

If you want to integrate the authentication then you can restrict users to access your app, then Azure ad already provided the feature to allow specific users to sign in then the ones who are allowed to sign in can send email, since they already signed in, we can certainly get the user principle.

If you just want to provide a web api, then you may store the users who are allowed to access your api into the database to so that you can check if the incoming request is legal...

Tiny Wang
  • 10,423
  • 1
  • 11
  • 29
  • Hey. I don't have a problem with code (I think). Like you wrote, I want to protect my app against changes in await graphClient.Users[mail].SendMail(message, saveToSentItems).Request().PostResponseAsync();, to sent only by defined users. I try https://learn.microsoft.com/en-us/answers/questions/214142/how-to-restrict-microsoft-graph-api-permission-to.html and https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users#update-the-app-to-require-user-assignment but without success. May be I must do so change in manifest files? – Karol Kozłowski Sep 23 '22 at 05:59
  • `how to restrict Microsoft Graph API permission to one accounts only` --- is impossible since API itself doesn't care who is using it, it only care the parameters. In your scenario, you want to send email by graph api with defined users, for example, you only want to send email by `AlexW`, then pls set AlexW's user principle in `await graphClient.Users["user_principle"]`, you can hardcode in your code. Then if I use my account to sign in your app or calling your api, the email still be sent by `AlexW` but not me. – Tiny Wang Sep 23 '22 at 06:09
  • 1
    I removed ApplicationAccessPolicy and it seems to be working when I added this perms by azure app like you said. – Karol Kozłowski Sep 23 '22 at 07:09