Only allow accessing emails from users assigned to Azure Enterprise Application using Confidential Client Credential Flow
I have an application where I want to send and read emails for a specific list of users assigned to an Azure Enterprise Application using the MS Graph API and the Confidential Client Credential flow. I do not know which users these will be initially, but I can query them through the service principals endpoint for the application and let the application user pick which one(s) to use.
I understand that I need to add the Application level User.Read.All, Mail.Send, and Mail.Read API permissions to the App registration and grant admin consent for them, however after retrieving the confidential client token and calling the https://graph.microsoft.com/v1.0/users/{user}/sendMail endpoint with it, I find it will still let me send from any user in the domain and not just the ones assigned to the application. The Assignment required setting in the enterprise application properties doesn't appear to affect this.
Is there a way to ensure the endpoint cannot be used to send/read user emails that are not assigned to the enterprise application?
I created an Azure AD application and granted API permissions like below:
And set Assignment required as YES in the Enterprise application:
For sample added ruk user:
Now I generated access token using Client Credentials flow by using below parameters via Postman:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/.default
grant_type:client_credentials
By using the above access token, I tried to send mail by another user which is not assigned to the Enterprise application. And I am able to send mail successfully:
POST https://graph.microsoft.com/v1.0/users/usertest@xxx.onmicrosoft.com/sendMail
Content-type: application/json
{
"message": {
"subject": "Meet for lunch?",
"body": {
"contentType": "Text",
"content": "The new cafeteria is open."
},
"toRecipients": [
{
"emailAddress": {
"address": "user@xxx.onmicrosoft.com"
}
}
],
"ccRecipients": [
{
"emailAddress": {
"address": "user1@xxx.onmicrosoft.com"
}
}
]
},
"saveToSentItems": "false"
}
Note that: If you are setting Assignment required to YES then it works for only User Sign-in scenario or User interactive flow not for Confidential Client Credential Flow as there is no user interaction involved.
For Client Credential Flow/Application identity scenario, you must configure Application Access Policy like below:
Connect-ExchangeOnline
New-ApplicationAccessPolicy -AppId ClientID -PolicyScopeGroupId ruk@xxx.onmicrosoft.com -AccessRight RestrictAccess -Description "test"
You can test the policy against other users:
Test-ApplicationAccessPolicy -Identity user@xxx.onmicrosoft.com -AppId ClientID
Test-ApplicationAccessPolicy -Identity ruk@xxx.onmicrosoft.com -AppId ClientID
Now only the ruk user will be able to send mail using the access token generated by Client Credential flow for the application.
- You can create the group and add users you want to access application and configure the policy by passing the group id.
- If you do not want to configure application access policy, then set assignment required to YES and make use of user interactive flow.
References:
How to allow Azure Ad App to access information only for certain users? - Microsoft Q&A by krish-gh
New-ApplicationAccessPolicy (ExchangePowerShell) | Microsoft
- VM has reported a failure when processing extension AzureDiskEncryption
- How to pass secrets downloaded from Azure KeyVault as parameters to an Azure Function?
- Trigger / queue build policy pipeline on ADO PR with Azure CLI
- Azure AD B2C Password Reset
- Batch create mailbox folders with GRAPH API (from Graph Explorer)
- Azure Web App on Linux: "Error: Container didn't respond to HTTP pings on port: 8080" - when using: "start": "pm2 start server.js"
- How can I apply name=value tags to service principals in Azure?
- Visual Studio Code: Could not find $web blob container for storage account
- Error when registering data factory integration runtime on windows VM
- Retrieve list of repositories and their tag versions in one call
- Getting Error while running Azure DevOps Pipeline "Error: building account: could not acquire access token to parse claims: clientCredentialsToken
- Create Resource Group with Azure Management C# API
- Azure LDAP Authentication Connection Refused On Cloud Server or Other Desktops
- Create a gpu nodepool on azure with a student account
- How to set redirect URLs to b2clogin.com for Azure Active Directory B2C in React JS application
- Cannot connect to SQL Server from logic app
- How to Resolve Errors When Running Python Jobs in Azure App Service WebJobs
- How do I open Kudu console in Azure functions consumption plan?
- Azure AutoML Image Classification Job
- Onedrive GRAPH API - 403 when getting user's OneDrive
- Azure Government Get incidents returns 401 Forbidden
- Delta Table Partitioning - why only for tables bigger than 1 TB
- How to check if an Azure storage queue has messages
- Azure WAF exclusion, what's the difference between RequestArgNames and RequestArgValues?
- How to order results of a query by the results of an aggregate function in ComosDb?
- Azure routing between different subscriptions - force one, common outbound IP and share Site-to-site (IPSec) defined in Virtual network gateway
- Bot Framework Python SDK ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
- Azure DevOps - Create a work item from incoming email
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?