Sending email via MSGraph and ApplicationAccessPolicy-CodePudding

I need to create an application that sends emails by MS Graph but also I need somehow restrict it for few mailboxes who will sending email (e.x. avoid send mail as ceo). Before I used just Sytem.Net.Mail and because basic authentication is now deprecation I must find new way to sending mails.

So I registered new application AAD, I added API permission for MS Graph Mail.Send (application type). Now I want to add restricting for that Graph API (I want to limit who can send a message from this API. I found that I must use New-ApplicationAccessPolicy cmdlet, but before that I created Mail-enabled security group. Then via PowerSell I addes new policy:

New-ApplicationAccessPolicy -AppId "9e48a326-a952-42ca-882f-ff1eec699ba7" -PolicyScopeGroupId "[email protected]" -AccessRight RestrictAccess -Description "SMTP OAuth2 Connector"

Then I added two accounts AlexW and DiegoS - both are from Microsoft 365 Developer Program, so both were not modify by me in any way:

Test-ApplicationAccessPolicy -Identity "[email protected]" -AppId "9e48a326-a952-42ca-882f-ff1eec699ba7" AppId : 9e48a326-a952-42ca-882f-ff1eec699ba7 Mailbox : AlexW AccessCheckResult : Granted

Test-ApplicationAccessPolicy -Identity "[email protected]" -AppId "9e48a326-a952-42ca-882f-ff1eec699ba7" AppId : 9e48a326-a952-42ca-882f-ff1eec699ba7 Mailbox : DiegoS AccessCheckResult : Granted

But now I test my application. AlexW can send mail but for DiegoS (or random person) I got erorr:

[email protected]:Code: ErrorAccessDenied Message: Access to OData is disabled. ClientRequestId: 909c72f7-02b7-4697-afd5-3d65a58d47a5

I try to remove and again add, wait some time and still the same problem. So, I need to create an application that sends emails by MS Graph but aslo I need somehow restrict

CodePudding user response：

According to your description, I captured these key words: use graph api to send email, allow specific user to send email, api permisssion with application type. Then let's see the necessary parameter to send an email: sender, content, receiver.

Per my understanding, since you used application type permission, then you want to use client credential flow to generate access token and calling graph api to send the email, so you have to create an azure ad application(done), then you need to specify the sender(set restriction so that only AlexW and DiegoS can do it). Receivers and content are based on the requirement so we don't need to take them into consideration.

Here's a code snippet to send email via ms graph api. The only point we need to consider is how to set the sender user principle now.

Then here're 2 scenarios. If you need to ask users to sign in first then they can send email? Or what you created is just an API so that you only need to receive a parameter(e.g. parameter is the user principle used to send email) then use it to send email?

If you want to integrate the authentication then you can restrict users to access your app, then Azure ad already provided the feature to allow specific users to sign in then the ones who are allowed to sign in can send email, since they already signed in, we can certainly get the user principle.

If you just want to provide a web api, then you may store the users who are allowed to access your api into the database to so that you can check if the incoming request is legal...