How to get admin consent working both for Graph API endpoint and Outlook REST endpoint?

1
votes

The objective : having a one time consent of an admin to be able to read all company mailboxes, using some functionalities of Graph API, and some of Outlook REST API (webhooks are more advanced)

Reading the Microsoft doc, it seems the best flow is "OAuth 2.0 client credentials grant".

  • My app is created through apps.microsoft.com, scopes are defined to access all mailboxes.
  • The admin connects to https://login.microsoftonline.com/common/adminconsent?client_id=XXX&redirect_uri=XXX.

  • Then I retrieve the token to https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token with grant_type=client_credentials&client_id=XX&client_secret=XX&scope=https://graph.microsoft.com/.default

  • The token is returned. Everything works perfectly with Microsoft Graph.

But when I retrieve a token, changing the scope to https://outlook.office.com/.default, I get a token which is refused for my query, with a 401 and a 'too weak token with strength 1 instead of 2'.

Where should we change the scopes ? Or should I have another authorization flow ?

Thanks

1
oauth-2.0microsoft-graph-apioutlook-restapi
Let me test this on my side. Things have changed in the app portal and I want to be sure I'm telling you current information :)Jason Johnston
After some lecture, I found that the protocol is different for Outlook REST API : it needs a X509 certificate to create a JWT token. It seems it's ok (no more "too weak token" but a "unauthorized acess". Now the problem occurs : I have to grant App Authorization for Outlook API. I can't do that from the apps.dev.microsoft.com portal (only Graph scopes) ; and I can't update authorizations from my client manage.windowsazure portal since the app doesn't have an "App URI ID" once created through apps.dev.microsoft.com (manual update through manifest is not accepted). I am becoming crazy !Sybic2001

1 Answers

0
votes

The Outlook endpoint requires a token obtained with an X509 certificate credential, rather than a client secret, and it also requires a token with the proper audience (the aud parameter in the JWT). To get all this, you need to register the app in the Azure portal (portal.azure.com or manage.windowsazure.com) and upload your public key in the app registration's manifest. I have a sample that does this here: https://github.com/jasonjoh/outlook-fetch.

Unfortunately as it stands right now there's no way to add Outlook-specific scopes to the App registration portal (apps.dev.microsoft.com), making the Azure registration method necessary in this case.