Introduction
Accessing Office 365 mailboxes programmatically can streamline many administrative and user-facing processes. In this blog post, I’ll walk you through how I configured OAuth authentication in Azure AD’s App Registration and Enterprise application to access an Office 365 mailbox using the Microsoft Graph API. This approach uses the application method in Microsoft Graph API, which doesn’t require an interactive sign-in.
Postman is an API platform for building and using APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so that you can create better APIs faster.
You can use the Microsoft Graph Postman collection to get started with Microsoft Graph APIs in minutes.
Steps to Create App Registration in Azure AD / Entra ID
1. Login to Azure Portal:
- Navigate to Azure Portal.
2. Register a New Application:
- Go to Microsoft Entra ID > App registrations.
- Click on New Registration.
- Enter a name for your application.
- Choose the supported account types (e.g., Accounts in this organizational directory only).
- Click Register.
3. Configure API Permissions:
- In the newly created app, go to API permissions.
- Click Add a permission.
- Select Microsoft Graph.
- Choose Application Permissions.
- Search for Mail.ReadWrite and add it.
- Click Grant admin consent for {your organization} and confirm.
Further More
If you want to add more access like sending the email for any application, you may use mail.send or specific to your requirement.
Delegated Permissions
You may also use delegated permission if you need API access as a signed-in user then you may use POP, IMAP or SMTP for specific user.
*To restrict the application permissions to specific mailbox please read this blog until the end
Using Postman to Access Emails
To access emails, I followed the steps outlined in the Microsoft Graph Postman article. Here’s a summary of the process:
1. Configure Postman Environment:
- Set up a new environment in Postman with variables for client_id, client_secret, tenant_id, and token.
2. Obtain an Access Token:
- Use the following request to obtain an access token:
POST https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
- Headers:
Content-Type: application/x-www-form-urlencoded
- Body (x-www-form-urlencoded):
client_id: {{client_id}}
scope: https://graph.microsoft.com/.default
client_secret: {{client_secret}}
grant_type: client_credentials
3. Access Emails via Microsoft Graph API:
- Use the obtained token to make a request to the Microsoft Graph API:
GET https://graph.microsoft.com/v1.0/users/{user_object_id}/messages
- Headers:
Authorization: Bearer {{token}}
Restricting Mailbox Access Using PowerShell
To restrict the app’s permissions to specific mailboxes, I followed the steps in this Microsoft Graph article. Here’s how to do it:
1. Install the Exchange Online PowerShell Module:
- Open PowerShell as an administrator.
- Run:
Install-Module -Name ExchangeOnlineManagement
2. Connect to Exchange Online:
- Run:
Connect-ExchangeOnline -UserPrincipalName <admin>@<domain>.com
3. Restrict Mailbox Access:
- Run the following commands to restrict mailbox access:
$AppId = "<your-app-id>"
$Mailboxes = @("user1@domain.com", "user2@domain.com")
foreach ($Mailbox in $Mailboxes) {
New-ApplicationAccessPolicy -AppId $AppId -PolicyScopeGroupId $Mailbox -AccessRight RestrictAccess -Description "Restrict app access to specific mailboxes"
}
Verify the Policy:
- Run:
Test-ApplicationAccessPolicy -Identity user1@contoso.com -AppId e7e4dbfc-046-4074-9b3b-2ae8f144f59b
The output of this command will indicate whether the app has access to User1’s mailbox.
By following these steps, I successfully configured OAuth authentication in Azure AD / Entra ID for accessing an Office 365 mailbox via Microsoft Graph API, without requiring interactive sign-in. This setup is ideal for backend services and automation tasks that need to access mailbox data programmatically.
Conclusion
Configuring OAuth authentication in Azure AD /Entra ID and restricting mailbox access provides a secure and efficient way to manage Office 365 mailboxes via the Microsoft Graph API. By following the steps outlined above, you can ensure that your application has the necessary permissions while maintaining strict access controls.
For further details and step-by-step guidance, refer to the official Microsoft documentation:
More Azure AD Articles
How to login to different tenant in Azure portal?
- Entra ID (Azure Active Directory): Migration and Integration Guide - 20 December 2024
- Active Directory Federation Services (ADFS): Implementation Guide - 16 December 2024
- Active Directory Backup and Recovery Strategy: Comprehensive Guide - 11 December 2024