Reputation: 1
Reading office 365 emails with only delegate access
Is it possible to read office 365 emails in c# only using the delegate permission in aad since I dont have the right to grant admin consent?
If so how can this be done because I cannot find any thing regarding this.
I have got the access token but when I try to access the emails but it gives 403 forbidden error.
Upvotes: 0
Views: 165
Answers (2)
Reputation: 645
To check the mail with delegated access, you can use the below query:
GET /users/{id | userPrincipalName}/messages/{id}/$value
The delegated permissions required:
Upvotes: 0
Reputation: 15991
That depends on the api you are using. Assuming you are now using list message api. The required permissions for delegated type is like below.
In Azure AD, we can see that all of the 3 api permissions don't require admin consent, so it's ok to call this API without admin consent.
We need to use auth code flow to generate access token. You can have a look at this answer about the test result using auth code flow with an un-consent api permission.
For asp.net core MVC application, you can write code like this sample to integrate Azure AD and Graph SDK to consent API permission and call graph api.
Here for example the API permission we required is Mail.Read, then the code in Program.cs should like:
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration)
//.EnableTokenAcquisitionToCallDownstreamApi()
.EnableTokenAcquisitionToCallDownstreamApi(new string[] { "Mail.Read" })
.AddMicrosoftGraph(builder.Configuration.GetSection("DownstreamApi"))
.AddInMemoryTokenCaches();
Then when we sign in the app, we would get this dialog to consent on behalf of the user. If we don't set Mail.Read in EnableTokenAcquisitionToCallDownstreamApi, we won't get this consent dialog.
By the way, if we don't give user consent, we would get below error like below when call the api via graph client like var a = await _graphServiceClient.Me.Messages.Request().GetAsync();
If we give user consent, then it should work. Since I don't have a mail resource, so I got this information.
Upvotes: 0
Related Questions
- Func delegate with no return type
- Is there a way to grant my app a permission only to access own e-mail account in Office 365?
- Running into 'serviceUnavailable' SharePoint graph query forever when combining Azure AD App permissions
- Graph API Office 365 usage report - Forbidden
- App needs permission to access resources in your organisation that only an admin can grant
- Office 365 Mail API: Admin access token to access everyone's emails