Can Azure AD OAuth client credentials flow permissions be limited to specific mailboxes?
I have a background service that needs to be able to monitor specific mailboxes for new emails in a customer's Azure AD. Because it's a background service, I'd like to use the OAuth client credentials flow.
To test this out, I registered an application in my own Azure AD (allowing accounts in any organizational directory), and am looking at setting the permissions. My understanding is that, for the client credentials flow, I can only set application-level permissions, not delegated. I see a Mail.Read permission for all mailboxes, but not a way to choose specific ones.
Am I missing the right way to set this up, or is switching to the authorization code flow with delegated permissions my only option?
Note that: You need to pass only application permissions while using Client Credential flow. As there is no user context involved in this flow, they are tenant-wide permissions.
- Hence, if you use Client Credential Flow the Azure AD Application will have same level access to all the mailboxes.
You can make use of Authorization code flow which needs delegated permissions which allows to request access.
I created an Azure AD Application and granted API permissions like below:
Authorized users using below endpoint:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/Mail.Read
&state=12345
Now, I generated access token using below parameters:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
grant_type:authorization_code
scope:https://graph.microsoft.com/Mail.Read
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
Using the above access token, you can read the mails like below:
GET https://graph.microsoft.com/v1.0/me/messages
Otherwise, you can also try limiting the Application to specific mailboxes by creating the Application policy by referring this MsDoc:
New-ApplicationAccessPolicy -AppId AppClientID -PolicyScopeGroupId xxx@xxx.com -AccessRight RestrictAccess -Description "Restrict this app to members"
Reference:
- 3rd party cookies in Android 14/New Chrome using Angular/Firebase Auth/Hosting and NodeJs in Server
- Error: Invalid Request: Value passed for the authorization code was invalid
- Spring Security OAuth2 - Add parameter to Authorization URL
- Use Oauth2+Django to get authorization to access user's Gmail
- Ruby & IMAP - Accessing Office 365 with Oauth 2.0
- Facebook graph api returns 400 bad request with correct access token
- How do I add audience validation using Spring OAuth without needing the issuer?
- How to make Depends optional in FastAPI?
- Getting refresh token for gmail API with Spring Security
- Creating firebase user with authentication information from Salesforce
- Where to store the refresh token on the Client?
- AuthorizedClientServiceOAuth2AuthorizedClientManager: accessToken cannot be null
- Swift Discord OAuth2 redirect URi not supported by Client
- Apim policy to validat token for b2b and as well as b2c tenant token endpoints
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Google APIs Console - missing client secret
- Automating access token refreshing via interceptors in axios
- Supabase does not append code parameter to the redirect URL after OAuth login
- How/why is login page redirect required?
- Where can I find a list of scopes for Google's OAuth 2.0 API?
- Using ASP.Net Core Identity in parallel with OpenIdConnect OAuth2
- Spring security JWT without OAuth
- Add OAuth authentication for HTTP request triggers
- Get email, phone, etc from OAuth2 login
- BFF pattern for native apps in OAuth 2.0?
- Why is PKCE `code_verifier` calculated server-side in BFF pattern?
- Apache strips down "Authorization" header
- Fake Firebase Auth Tokens for Test Environment
- Access Not Configured for Google OAUTH Login
- Authenticating to Microsoft 365 SMTP servers via OAuth2 only works for users without MFA