How to restrict mailbox access in azure active directory application - azure-active-directory

I am able to read other users email using microft.graph api. Need guidance as how to restrict mailbox access so that users can view its email alone.
I created an azure admin and added 3 users. I registered an app and granted Mail.ReadWrite api permission. I generated a token and was able to read others users email. Need guidance as how mailbox access can be restricted to specific user and particular user can access their own email
Need guidance as how to restrict the users from accessing other users email

Client credential allows the app to read all the information that it have access to without a user. It means that anyone who opens the app can see the information. See Get access without a user.
What you need is Get access on behalf of a user.
To get an access token, the user is redirected to the Microsoft identity platform /authorize endpoint. In the authorization code grant flow, after consent is obtained, Azure AD will return an authorization_code to your app that it can redeem at the Microsoft identity platform /token endpoint for an access token.
At last, use this access token to access the emails of the logged in user. You won't see other users' emails.

I was able to restrict my app to access specific user email by creating an application policy. This link helped me to achieve this https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access Now I am using client credential to generate app level token and access specific users email.

Related

Revoke access for an access_token received via MS Active Directory authentication

I am currently using passport-azure-ad and #azure/msal-node nodejs library to authenticate users for my APIs. When the user successfully authenticates via his/her microsoft account we receive an access_token, the user can call our APIs with that access_token.
Now if we disable the user's account from the Azure admin panel, the user's already existing access_token should be invalidated and he/she should not be able to call our APIs with that access_token.
How can we do this please?
Basically, you can't.
I believe that the spec. doesn't allow access tokens to be revoked.
You can, however, revoke refresh tokens.
When the access token expires, the refresh token won't be honoured and the user will be logged out.
Going forward, continuous access evaluation will be of use but it hasn't been implemented in many apps. to date.

Graph API POST Request (Create List Item) 'accessDenied' error for Guest AD Users

I have quite a strange issue (well I think it is)... I'm building a web application using Ionic Angular and this application needs to submit information to a SharePoint site within our company. Authentication for the application is handled using Microsoft Authentication Library for Angular (v1) and the users of the application can either be AzureAD Guest users, or actual company users. The application successfully authenticates both types of users and they are issued an IDtoken, along with an accessToken. The access token is then used to perform GET, PATCH and POST Graph API requests against particular lists within a SharePoint site.
If I'm logged in as a full user... there is no issue, the app can successfully perform all three request types against the lists. However, if I'm logged into the application as a Guest user, I can only successfully perform GET and PATCH requests, but not POST:
A Postman POST request using the access token retrieved via MSAL authentication
I have checked the scopes within the token using https://jwt.ms and confirm that the following scopes are present:
Sites.Manage.All
Sites.Read.All
Sites.ReadWrite.All
User.Read profile openid email
The permissions for the lists are granted through membership of an Azure AD Domain/Security group and both; the full user and guest user are members.
To further add to this, I've logged into the SharePoint site online as the Guest User and I can successfully See, Add and Edit List items from the list, but I can't seem to do this via the Graph API.
Has anyone seen this behaviour before, or has any pointers?
Thanks in advance.
This is my app registration setup regarding permissions:
API Permissions
Please check your permissions in Azure Portal. When getting the access token with a signed-in user, you need to make sure the delegated permission Sites.ReadWrite.All has been set, and grant admin consent for your tenant.
And the scope should be added this permission for requesting an access token.
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
client_id=<client_id>
&scope=https%3A%2F%2Fgraph.microsoft.com%2FSites.ReadWrite.All
&code=<authorization_code, see https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#request-an-authorization-code>
&redirect_uri=<redirect_uri>
&grant_type=authorization_code
&code_verifier=ThisIsntRandomButItNeedsToBe43CharactersLong
&client_secret=<client_secret>
It may be a delay about 5-10 mins after adding the permission.

Why do i need to create a Multi-Tenant App?

I have been doing some R&D on using the MicrosoftGraphAPI to fetch the skus subscribed by my organization.
I have created an app as described in the documentation. I did all the steps in the above link except 'Assign application to role'.
Using postman am able to get the oauth2 token by sending a post request using the link
https://login.microsoftonline.com/<mytenantid>/oauth2/token
with the client_id, client_secret, resource(https://graph.microsoft.com) and grant_type(client_credentials) parameters.
After this token is obtained I can fire a get request https://graph.microsoft.com/v1.0/subscribedSkus with the Authorization header set as Bearer {token} which will return the SKUs subscribed by my organization.
So far so good. :-)
Now the requirement is I need to fetch the subscribed SKUs by one of the client (let's say having the azure ad tenant id 'ABCDEFG') of my organization.
I can successfully do that by registering an app in the client's tenant 'ABCDEFG' with the same steps as above.
This approach is fine if my organization has say 1 or 2 clients.
However, if the client numbers are more than say 30 this approach of registering an application in each Azure AD instance is not feasible.
If the application that I registered in my organizations AAD was multi-tenant then how should it help me?
What will be the steps needed to obtain the access token for each tenant?
Can somebody assist with some detailed explanation?
Since you need application-level access, you would assign one of the Application permissions listed in the documentation for getting SKUs: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/subscribedsku_list.
Directory.Read.All, Directory.ReadWrite.All
In this case you should require the Read Directory Data (Directory.Read.All) application permission.
Then you mark your app as multi-tenanted.
Now then in order for another org to use your app, they will have to be on-boarded.
You will need some kind of page where their administrator can click a button/link to start using your app.
This should redirect the admin to:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=your-client-id&prompt=admin_consent&response_type=code+id_token&redirect_uri=url-where-to-send-user-back
Once they sign in, they will be presented with a consent screen, where they can approve the permissions that your app requires.
If and when they do that, they will be redirected back to your app (to the URL you specified) and you can use the Id token to know which Azure AD tenant registered.
During this process a service principal for your app is created in their tenant, and the required permission is granted to it.
This means you can then get an access token for their tenant from: (using the same credentials)
https://login.microsoftonline.com/their-tenant-id/oauth2/token
Remember that access tokens are specific to an Azure AD tenant, so you will have to get an access token for each tenant.
One thing I would like to point out is that you should instead try to use delegated permissions if possible.
The application permission given here gives quite large access to your app, and some admins might not use your service for that reason alone.
Delegated permissions are more complex to handle, but allow your app to act on behalf of a user instead of purely as itself.

Graph API - Daemon app with User Consent

We want to create an API App(Main purpose is to contact our organizations Office 365 Graph endpoint and send email) in Azure.. however our frontend website doesn't use Azure AD for the user authentication.. however we want our backend APi to be able send email in one of the following ways
1) send email as any user
2) send email on behalf of a service account
we are trying to explore the possible options and based on the investigation done so far, this(option 1) can be done using admin_consent - Can someone help with the steps we need to follow to create such app and deploy.
additionally is there a way to create an API app without login screen being prompted during the execution of the API - while using user_consent?
Option 1
In order for an app/daemon to send email as any user, it must have the send mail as any user app permission.
Give that permission on the Microsoft Graph API to the app, then grant the permission by clicking the Grant Permissions button in the portal, or by going through the admin consent flow.
Your API can then authenticate with its client credentials and get an access token to send email.
The bad side of this approach should be obvious, the app gets rights to send emails as anyone in your org.
Option 2
You could alternatively create an account for the API, and then use the Resource Owner Password grant flow to authenticate. You would then give the delegated permission for sending email as the signed in user.
The bad side of this is the flow for authenticating. If the account's password expires, there is no way for you to reset it from there, you would have to intervene to fix the problem.
Consent
You cannot go through consent without the browser UI.

admin_consent for openid connect and dynamic scopes

We have a webapplication that uses openid connect, with azure as the identityprovider, to sign in users. So users, when signing in is sent to a URL like:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?response_type=id_token+token&client_id=3{clientId}&response_mode=form_post&redirect_uri=http://localhost:8765/ms/oidc/signon/response&scope=openid+profile+https://graph.microsoft.com/user.read&state=1234&nonce={nonce}
this works fine, but requires users to consent to our apps permission scopes the first time they use it.
We'd like to offer office365 administrators the ability to consent on behalf of their entire tenant, so we send them to an endpoint like:
https://login.microsoftonline.com/common/adminconsent?client_id={clientId}&state=12345&redirect_uri=http://localhost:8765
this also seems to work fine, and the admin i informed that they will consent on behalf of all users in their tenant. However, the user is still presented with the consent prompt on first login.
This does make sense, since the app is only registered with the user.read permission, so if we instead sent the user to
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?response_type=token&client_id={clientId}&response_mode=form_post&redirect_uri=http://localhost:8765/ms/oidc/signon/response&scope=https://graph.microsoft.com/user.read&state={state}&nonce={nonce}
without the dynamic permission request, and response type only set to token, the admin consent works, and users are not presented with the consent prompt.
So, I guess I have 2 questions:
1) is this how it's supposed to work, or is there some way to grant admin consent to the profile and openid scopes?
2) Am I actually missing anything by not requesting these(openid+profile) permissions? I don't receive and id_token in the response, but is seems the authentication_token already contains even more information than the id_token does anyway
1) is this how it's supposed to work, or is there some way to grant admin consent to the profile and openid scopes?
It seems a bug in azure ad v2.0 consent framework , well-known scopes(openid,profile) should be granted by default when you do admin permissions. Please refer to this link .
2) Am I actually missing anything by not requesting these(openid+profile) permissions? I don't receive and id_token in the response, but is seems the authentication_token already contains even more information than the id_token does anyway
You don't use OpenID connect since you haven't added the openid scope ,so id_token is not returned . But since you have the user.read permission of microsoft graph api , you could use microsoft graph api to read the user's basic information . Id_token and access token are different ,the id_token is used to identify the authenticated user. The access_token is used to prove access rights to protected resources . Please click here for more details.

Resources