Can MS Graph access mail boxes without individual Id/passwords?
Our organization is considering some mail box automation using MS Graph. However the concern has been expressed that it would expose all mail boxes emails.
Worst case (i.e. clever hacker using scripts only): Is there any way scripting with MS Graph one could access mail boxes without individual Id/passwords? What would be the biggest exposure if they had for one mailbox that has nothing delegated to it?
Thanks!
CodePudding user response:
For Ms graph api, it provides the ability to manage the account/group/mail account/event/calender/... And if we need to use the graph api, we have to create an Azure AD application with the application credential(basically, the client_secret). And the Azure AD app should have enough API permission, for example, we give permission User.ReadWrite.All
, then we can use graph api to manage users in this tenant via this Azure AD app. When we add permission Mail.ReadWrite
, then we can manage email account.
For api permission, there are 2 kinds of permissions, one for delegate
, another for application
. When we give delegate api permissin, we need to sign in with your own account(e.g. [email protected], and this account had license for mail) first, then we can use ms graph api to list all the mail messages for your account.
But when we give application api permission, we don't need to sign in first, we can directly call graph api, and list all the mail messages for any user account which has mail license in your tenant.
Let's go back to your question, if script can access mail boxes without individual Id/passwords. My answer is yes. But I have to get The Azure AD application & client secret, then this app must have enough api permission, like application permission for Mail.ReadWrite, Mail.Send
, and I need to know your email address/account. When I get all these information, I can access the mail boxes. Here's an sample.
using Microsoft.Graph;
using Azure.Identity;
var scopes = new[] { "https://graph.microsoft.com/.default" };
var tenantId = "tenant_name.onmicrosoft.com";
var clientId = "aad_app_id";
var clientSecret = "client_secret";
var clientSecretCredential = new ClientSecretCredential(
tenantId, clientId, clientSecret);
var graphClient = new GraphServiceClient(clientSecretCredential, scopes);
var messages = await graphClient.Users["{email_address/user_account/user_id}"].Messages
.Request()
.Select("sender,subject")
.GetAsync();