Only allow accessing emails from users assigned to Azure Enterprise Application using Confidential Client Credential Flow

littlerat
December 30, 2023
204 views
0 votes
2 Answers

I have an application where I want to send and read emails for a specific list of users assigned to an Azure Enterprise Application using the MS Graph API and the Confidential Client Credential flow. I do not know which users these will be initially, but I can query them through the service principals endpoint for the application and let the application user pick which one(s) to use.

I understand that I need to add the Application level User.Read.All, Mail.Send, and Mail.Read API permissions to the App registration and grant admin consent for them, however after retrieving the confidential client token and calling the https://graph.microsoft.com/v1.0/users/{user}/sendMail endpoint with it, I find it will still let me send from any user in the domain and not just the ones assigned to the application. The Assignment required setting in the enterprise application properties doesn’t appear to affect this.

Is there a way to ensure the endpoint cannot be used to send/read user emails that are not assigned to the enterprise application?

Answers

- user2250152
- December 7, 2023 at 8:39 am
- 0 votes
0
I would prefer another way than assigning users to the enterprise application.

There is an endpoint for role assignment (currently only in beta) for Exchange provider.

With this endpoint you can define that your specific enterprise app will be able to send emails for a group of users.

Prerequisite is to create an administrative unit and add those users as members of this administrative unit.
1. Create administrative unit
```
POST /v1.0/directory/administrativeUnits
```
1. Add members to administrative unit
```
POST /v1.0/directory/administrativeUnits/{id}/members/$ref
```
1. Find id of role definition to send mail as application
```
GET /beta/roleManagement/exchange/roleDefinitions?$filter=displayName eq 'Application Mail.Send'
```
1. Create role assignment for your enterprise app but limit the role for a specific administrative unit
```
POST /beta/roleManagement/exchange/roleAssignments
{
    "principalId": "/ServicePrincipals/{your_enterprise_app_id}",
    "roleDefinitionId": "{role_definition_id_for_mail_send}",
    "directoryScopeId": "/AdministrativeUnits/{administrative_unit_id}",
    "appScopeId": null
}
```
It can take from 30 minutes to 2 hours until the role is applied in Azure.

Repeat point 3. and 4. for Mail.Read (or Mail.ReadBasic)
1. Find id of role definition to read mails as application
```
GET /beta/roleManagement/exchange/roleDefinitions?$filter=displayName eq 'Application Mail.Read'
```
1. Create role assignment for your enterprise app but limit the role for a specific administrative unit
```
POST /beta/roleManagement/exchange/roleAssignments
{
    "principalId": "/ServicePrincipals/{your_enterprise_app_id}",
    "roleDefinitionId": "{role_definition_id_for_mail_read}",
    "directoryScopeId": "/AdministrativeUnits/{administrative_unit_id}",
    "appScopeId": null
}
```
The advantages:
- no need to add Mail.Send, Mail.Read permissions for the app in Azure (Entra) portal
- user is removed from administrative unit => app is not be able to send/read emails of that user
- user is added to an administrative unit => app is be able to send/read emails
- limited to a specific set of users
Resource:

RBAC for Exchange Provider Preview
Login or Signup to reply.

- Rukmini
- December 7, 2023 at 8:41 am
- 0 votes
0
I created an Azure AD application and granted API permissions like below:

And set Assignment required as YES in the Enterprise application:

For sample added ruk user:

Now I generated access token using Client Credentials flow by using below parameters via Postman:
```
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/.default
grant_type:client_credentials
```
By using the above access token, I tried to send mail by another user which is not assigned to the Enterprise application. And I am able to send mail successfully:
```
POST https://graph.microsoft.com/v1.0/users/[email protected]/sendMail
Content-type: application/json

{
  "message": {
    "subject": "Meet for lunch?",
    "body": {
      "contentType": "Text",
      "content": "The new cafeteria is open."
    },
    "toRecipients": [
      {
        "emailAddress": {
          "address": "[email protected]"
        }
      }
    ],
    "ccRecipients": [
      {
        "emailAddress": {
          "address": "[email protected]"
        }
      }
    ]
  },
  "saveToSentItems": "false"
}
```
Note that: If you are setting Assignment required to YES then it works for only User Sign-in scenario or User interactive flow not for Confidential Client Credential Flow as there is no user interaction involved.

For Client Credential Flow/Application identity scenario, you must configure Application Access Policy like below:
```
Connect-ExchangeOnline

New-ApplicationAccessPolicy -AppId ClientID -PolicyScopeGroupId [email protected] -AccessRight RestrictAccess -Description "test"
```
You can test the policy against other users:
```
Test-ApplicationAccessPolicy -Identity [email protected] -AppId ClientID

Test-ApplicationAccessPolicy -Identity [email protected] -AppId ClientID
```
Now only the ruk user will be able to send mail using the access token generated by Client Credential flow for the application.
- You can create the group and add users you want to access application and configure the policy by passing the group id.
- If you do not want to configure application access policy, then set assignment required to YES and make use of user interactive flow.
References:

How to allow Azure Ad App to access information only for certain users? – Microsoft Q&A by krish-gh

New-ApplicationAccessPolicy (ExchangePowerShell) | Microsoft
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.