How to Configure OAuth Authentication in Azure AD for Accessing Office 365 Mailbox via Microsoft Graph API

Introduction

Accessing Office 365 mailboxes programmatically can streamline many administrative and user-facing processes. In this blog post, I’ll walk you through how I configured OAuth authentication in Azure AD’s App Registration and Enterprise application to access an Office 365 mailbox using the Microsoft Graph API. This approach uses the application method in Microsoft Graph API, which doesn’t require an interactive sign-in.

Postman is an API platform for building and using APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so that you can create better APIs faster.

You can use the Microsoft Graph Postman collection to get started with Microsoft Graph APIs in minutes.

Steps to Create App Registration in Azure AD / Entra ID

1. Login to Azure Portal:

• Navigate to Azure Portal.

2. Register a New Application:

• Go to Microsoft Entra ID > App registrations.
• Click on New Registration.
• Enter a name for your application.
• Choose the supported account types (e.g., Accounts in this organizational directory only).
• Click Register.

3. Configure API Permissions:

• In the newly created app, go to API permissions.
• Click Add a permission.
• Select Microsoft Graph.
• Choose Application Permissions.
• Search for Mail.ReadWrite and add it.
• Click Grant admin consent for {your organization} and confirm.

Further More

If you want to add more access like sending the email for any application, you may use mail.send or specific to your requirement.

Delegated Permissions

You may also use delegated permission if you need API access as a signed-in user then you may use POP, IMAP or SMTP for specific user.

*To restrict the application permissions to specific mailbox please read this blog until the end

Using Postman to Access Emails

To access emails, I followed the steps outlined in the Microsoft Graph Postman article. Here’s a summary of the process:

1. Configure Postman Environment:

• Set up a new environment in Postman with variables for client_id, client_secret, tenant_id, and token.

2. Obtain an Access Token:

• Use the following request to obtain an access token:

POST https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token

• Headers:

Content-Type: application/x-www-form-urlencoded

• Body (x-www-form-urlencoded):

client_id: {{client_id}}

scope: https://graph.microsoft.com/.default

client_secret: {{client_secret}}

grant_type: client_credentials

3. Access Emails via Microsoft Graph API:

• Use the obtained token to make a request to the Microsoft Graph API:

GET https://graph.microsoft.com/v1.0/users/{user_object_id}/messages

• Headers:

Authorization: Bearer {{token}}

Restricting Mailbox Access Using PowerShell

To restrict the app’s permissions to specific mailboxes, I followed the steps in this Microsoft Graph article. Here’s how to do it:

1. Install the Exchange Online PowerShell Module:

• Open PowerShell as an administrator.
• Run:

Install-Module -Name ExchangeOnlineManagement

2. Connect to Exchange Online:

• Run:

Connect-ExchangeOnline -UserPrincipalName <admin>@<domain>.com

3. Restrict Mailbox Access:

• Run the following commands to restrict mailbox access:

$AppId = "<your-app-id>"

$Mailboxes = @("user1@domain.com", "user2@domain.com")

foreach ($Mailbox in $Mailboxes) {

    New-ApplicationAccessPolicy -AppId $AppId -PolicyScopeGroupId $Mailbox -AccessRight RestrictAccess -Description "Restrict app access to specific mailboxes"

}

Verify the Policy:

• Run:

Test-ApplicationAccessPolicy -Identity user1@contoso.com -AppId e7e4dbfc-046-4074-9b3b-2ae8f144f59b

The output of this command will indicate whether the app has access to User1’s mailbox.

By following these steps, I successfully configured OAuth authentication in Azure AD / Entra ID for accessing an Office 365 mailbox via Microsoft Graph API, without requiring interactive sign-in. This setup is ideal for backend services and automation tasks that need to access mailbox data programmatically.

Conclusion

Configuring OAuth authentication in Azure AD /Entra ID and restricting mailbox access provides a secure and efficient way to manage Office 365 mailboxes via the Microsoft Graph API. By following the steps outlined above, you can ensure that your application has the necessary permissions while maintaining strict access controls.

For further details and step-by-step guidance, refer to the official Microsoft documentation:

• Use Postman with Microsoft Graph
• Limit mailbox access

More Azure AD Articles

How to login to different tenant in Azure portal?

• About
• Latest Posts

Ravi Chopra

With 19 years of hands-on experience in the IT industry, I’m passionate about sharing the knowledge I’ve gained across a wide range of technologies. Specializing in Active Directory, Azure, VMware, Windows, and Linux, I am dedicated to empowering IT professionals and enthusiasts with practical insights and solutions.

Whether you’re looking for troubleshooting tips, deep dives into systems architecture, or the latest in cloud computing, I’m here to help you navigate the evolving tech landscape. Let’s connect, learn, and grow together!

📧 ravi.chopra1709@gmail.com

Latest posts by Ravi Chopra (see all)

• What is Active Directory? A Complete Guide for IT Professionals - 18 November 2024
• Enterprise Virtualization Platforms Comparison: A Technical Deep Dive - 29 October 2024
• Docker Swarm: The Complete Guide to Container Orchestration - 28 October 2024