Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Microsoft Graph API - Sending email as another user

In our application, we need to send notifications to users by email for various event triggers.

I'm able to send email if I send as "Me" the current user, but trying to send as another user account returns an error message and I'd prefer it if notifications didn't come users' themselves and may contain info we don't want floating around in Sent folders.

What works:

await graphClient.Me.SendMail(email, SaveToSentItems: false).Request().PostAsync();

What doesn't work:

string FromUserEmail = "[email protected]";
await graphClient.Users[FromUserEmail].SendMail(email, SaveToSentItems: false).Request().PostAsync();

Also tried using the user object id directly:

await graphClient.Users["cd8cc59c-0815-46ed-aa45-4d46c8a89d72"].SendMail(email, SaveToSentItems: false).Request().PostAsync();

My application has permissions for the Graph API to "Send mail as any user" enabled and granted by the owner/administrator.

The error message returned by the API:

Code: ErrorFolderNotFound Message: The specified folder could not be found in the store.

I thought this error might have been because the notifications account didn't have a sent folder, so I set the SaveToSentItems value to false, but I still get the same error.

Are there any settings I need to check on the account itself to allow the app to send mail on this account or should this work?

I have checked out the documentation here: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_sendmail

Which appears to support what I'm trying to do, but doesn't reference any folder except for the sent items folder which I'm telling the API not to save to anyway.

We aren't intending to impersonate any actual user here, just send notification emails from within the app from this specific account (which I know is technically impersonation, but not of a real entity).

like image 860
Stuart Frankish Avatar asked Oct 04 '18 13:10

Stuart Frankish


People also ask

What is delegated permission in graph API?

Delegated permissions are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents to the permissions that the app requests and the app can act as the signed-in user when making calls to Microsoft Graph.

Is Microsoft Graph being deprecated?

Azure Active Directory (Azure AD) Graph is deprecated and will be retired at any time after June 30, 2023, without advance notice, as we announced in September, 2022.


1 Answers

Whenever you are using delegated permissions (i.e. when a user is logged in), even though your admin has consented to the Mail.Send.Shared, it does NOT grant access to all mailboxes in the tenant. These OAuth permissions do not override the permissions (and restrictions) in place for the user.

If the user is not already configured with permissions to be able to "Send As" the [email protected] user, then you'll see this error.

To make it work, you'd need to actually grant "Send As" rights to all users that will be using your application.

This is a subtle thing, and granted it's a bit confusing. In the Azure portal, the permissions have slightly different descriptions, depending on if you're looking at the Application Permissions or the Delegated Permissions.

  • Application: Send mail as any user
  • Delegated: Send mail on behalf of others

Since you're using delegated, the permission doesn't allow you to send as any user, only send on behalf of any folks that the logged on user has rights to send as.

Another approach you could use here to avoid having to grant these rights to all users (which would allow them to send via Outlook, etc.) would be to have your backend app use the client credentials flow to get an app-only token. In that case, the app itself would have the permission to send as any user.

like image 130
Jason Johnston Avatar answered Sep 28 '22 05:09

Jason Johnston