Reputation: 7683
Azure & Microsoft Graph: Access denied accessing inbox, using Client Secret
We tried to setup the simplest possible application for reading emails from a mailbox in our organization, using Microsoft Graph.
It's a background service so we used ClientSecretCredential as authentication strategy.
Here is the code:
var credentials = new ClientSecretCredential("xxx-tenantID","xxx-clientId","xxx-clientSecret");
var graphServiceClient = new GraphServiceClient(credentials, new string [] {"https://graph.microsoft.com/.default"});
var result = await graphServiceClient.Users["[email protected]"].MailFolders["Inbox"] .Messages.Request() .GetAsync();
It seems to login correctly but then it gets an access denied when tring to access the specific inbox:
Unhandled exception. Status Code: Forbidden
Microsoft.Graph.ServiceException: Code: ErrorAccessDenied
Message: Access is denied. Check credentials and try again.
I think we miss some authorization on the azure side; in particular, we can't find the place where the application is authorized to access that specific mail box ([email protected]).
Update:
When we give to the application the authorization showed below, it works.
Unfortunately this gives access to all the mailboxes in the organization and this is unacceptable since this app should only access the service mail box it was designed to manage.
The question now is how to limit the access to the only mailbox required.
Sorry for italian language in the screenshot, the highlighted text means "Adminisrator consent" and is the settig that made the application work.
Upvotes: 1
Views: 1122
Answers (1)
Reputation: 2580
To summarize you want to use client credentials to access a single mailbox?
You can use this powershell command to create an access policy to restrict this application to a single mailbox or group of mailboxes.
https://learn.microsoft.com/en-us/powershell/module/exchange/new-applicationaccesspolicy
Connect-ExchangeOnline
New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId <String[]> -PolicyScopeGroupId [email protected]
Upvotes: 2
Related Questions
- Return 401 Unauthorized when use Graph API to read calendar and mailbox setting
- Microsoft Graph authentication problem when switching to Client Secret: the scope is not valid
- MS Graph API - access shared mailbox (application permission)
- Graph Api Permission to Read Email
- Microsoft Graph API Mail.Send Access Denied
- Access shared mailbox via Microsoft Graph - "Access denied"
- Microsoft Graph returns "The token contains no permissions, ..." when using app-only token
- Error access denied in microsoft graph api to read user messages
- Microsoft Graph API .NET not able to read shared mail
- MS Graph API: invalid authentication token