0

Background: We have a linux based robotic application (in LISP language) to read application support mailbox and respond appropriately to customer emails. Currently the mail reading is done using the IMAP access protocol. As per new security policy we need to use Microsoft Graph APIs to access/read our application mail-box.

We need to use "resource owner password credential" approach as we do not have any web.

We could not use "Delegated permissions" as our application can not be the signed in user.

We wanted to use "Application permissions" like "Mail.ReadWrite" & "Mail.Send". But these application permissions would give access to all the mail-boxes in the organization.

So my question is, can my administrator provide "Admin Consent" such that my application can access one mail-box alone?

Pavan Kumar Puvvala
  • 1

2 Answers2

0

Hi @pavan you need to get the admin to approve the application permissions and then get them to set an application Access policy so it can only access a specific mailbox

From https://domainaware.github.io/parsedmarc/ :

Use the New-ApplicationAccessPolicy command in the Exchange PowerShell module. If you need to scope the policy to shared mailboxes, you can add them to a mail enabled security group and use that as the group id.

New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId <CLIENT_ID>" -PolicyScopeGroupId "<MAILBOX>" -Description "Restrict access to specific mailbox."

EnviableOne
  • 1
0

If you can log in to Azure,etc. as the user that your script uses, you can create your own personal access token -

https://docs.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/pats?view=azure-devops

And then you can use the me reference in your API calls -

https://graph.microsoft.com/v1.0/me/mailFolders/Inbox/messages

ivanivan
  • 1,548