Can Azure AD OAuth client credentials flow permissions be limited to specific mailboxes?
I have a background service that needs to be able to monitor specific mailboxes for new emails in a customer's Azure AD. Because it's a background service, I'd like to use the OAuth client credentials flow.
To test this out, I registered an application in my own Azure AD (allowing accounts in any organizational directory), and am looking at setting the permissions. My understanding is that, for the client credentials flow, I can only set application-level permissions, not delegated. I see a Mail.Read permission for all mailboxes, but not a way to choose specific ones.
Am I missing the right way to set this up, or is switching to the authorization code flow with delegated permissions my only option?
Note that: You need to pass only application permissions while using Client Credential flow. As there is no user context involved in this flow, they are tenant-wide permissions.
- Hence, if you use Client Credential Flow the Azure AD Application will have same level access to all the mailboxes.
You can make use of Authorization code flow which needs delegated permissions which allows to request access.
I created an Azure AD Application and granted API permissions like below:
Authorized users using below endpoint:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/Mail.Read
&state=12345
Now, I generated access token using below parameters:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
grant_type:authorization_code
scope:https://graph.microsoft.com/Mail.Read
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
Using the above access token, you can read the mails like below:
GET https://graph.microsoft.com/v1.0/me/messages
Otherwise, you can also try limiting the Application to specific mailboxes by creating the Application policy by referring this MsDoc:
New-ApplicationAccessPolicy -AppId AppClientID -PolicyScopeGroupId [email protected] -AccessRight RestrictAccess -Description "Restrict this app to members"
Reference:
- 3rd party cookies in Android 14/New Chrome using Angular/Firebase Auth/Hosting and NodeJs in Server
- Where can I find a list of scopes for Google's OAuth 2.0 API?
- Using ASP.Net Core Identity in parallel with OpenIdConnect OAuth2
- Spring security JWT without OAuth
- Add OAuth authentication for HTTP request triggers
- Get email, phone, etc from OAuth2 login
- BFF pattern for native apps in OAuth 2.0?
- Why is PKCE `code_verifier` calculated server-side in BFF pattern?
- Apache strips down "Authorization" header
- Fake Firebase Auth Tokens for Test Environment
- Access Not Configured for Google OAUTH Login
- Authenticating to Microsoft 365 SMTP servers via OAuth2 only works for users without MFA
- Getting user data through an Azure AD OAuth login - React Native Expo App
- Callback github URI with Oauth2 and Spring Boot 3.4.0 not found after authentication
- spring oauth client (v6.4.2): does not redirect to oauth-server
- NextJs: server component vs server action
- Why Does OAuth v2 Have Both Access and Refresh Tokens?
- Bot Framework Python SDK ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
- DelegateAuthenticationProvider not found after updating Microsoft Graph
- How to generate and pass CSRF token for a route in spring cloud gateway with Spring Security
- How to set up an (Azure) OAuth2 application for personal Outlook.com accounts (Exchange) for usage with exchangelib?
- Is there a raw Http request way of OAuth2ing with Google?
- What is the purpose of the 'state' parameter in OAuth authorization request
- AWS API Gateway Access vs Id Token
- How to use the Requests OAuthlib with grant-type 'Client Credentials'?
- What is the purpose of a "Refresh Token"?
- Where to store the refresh token on the Client?
- Configuring spring-boot-starter-oauth2-client to authenticate with Azure AD
- Is possible to create a role based application with OAuth2?
- Cognito: User Pool Client OAuth Scope Limitation