Service Call to Read Messages from Shared Mailbox with Graph API

1
votes

With a service I am able to get a list of users from our Azure tenant but I am unable to give the service app the correct permissions to read messages to a shared mailbox. The follow code is a stripped down version of the code, the userid is the guid associated to the user account for the shared mailbox.

private const string AuthorityFormat = "https://login.microsoftonline.com/{0}/v2.0";
private const string GraphScopeDefault = "https://graph.microsoft.com/.default";
private const string GraphUrl = "https://graph.microsoft.com/v1.0";
private const string RedirectUri = "https://login.microsoftonline.com/common/oauth2/nativeclient";

public static async Task GetMailAsync(string tenantId, string clientId, string clientSecret, string redirectUri, string userId ) {

  var daemonClient = ConfidentialClientApplicationBuilder.Create(clientId)
    .WithAuthority(string.Format(AuthorityFormat, tenantId))
    .WithRedirectUri(redirectUri)
    .WithClientSecret(clientSecret)
    .Build();

  var authResult = await daemonClient.AcquireTokenForClient(new[] {GraphScopeDefault}).ExecuteAsync();

  async Task AuthenticateRequestAsyncDelegate(HttpRequestMessage requestMessage) => requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", authResult.AccessToken);

  var graphClient = new GraphServiceClient(GraphUrl,new DelegateAuthenticationProvider(AuthenticateRequestAsyncDelegate));

  var messages = await graphClient
    .Users[userId]
    .Messages
    .Request()
    .GetAsync();
}

This is the resultant error: Microsoft.Graph.ServiceException: 'Code: ErrorAccessDenied Message: Access is denied. Check credentials and try again.

I have confirmed through exchange powershell scripts that the App-Id has access to this mailbox:

Test-ApplicationAccessPolicy -Identity [email protected] -AppId {appId guid}

With the following response: AccessCheckResult : Granted

The API permissions granted and yes they have been approved by the admin:

enter image description here

The same code calling the users api works:

var userPage = await graphClient.Users.Request().GetAsync();

Any idea what could be the problem? Is there any logs in the Azure App Portal that could tell me what the problem could be with failed attempts?

Thanks in advance!

acg

***** UPDATE *****

The issue is mailbox specific, whether using my code or Jeremy's both get the same error with one of our shared mailboxes but work complete fine with another. Both of the mailboxes show that permissions are granted through the powershell command, any way to get more details from logs or events in Azure?

1
c#microsoft-graph-apimicrosoft-graph-mail

1 Answers

0
votes

You should be using ClientCredentialsProvider https://docs.microsoft.com/en-us/graph/sdks/choose-authentication-providers?tabs=CS#client-credentials-provider

IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
    .Create(clientId)
    .WithTenantId(tenantID)
    .WithClientSecret(clientSecret)
    .Build();

ClientCredentialProvider authProvider = new ClientCredentialProvider(confidentialClientApplication);

Please check out our latest SDK documentation on how to create a Graph Client https://docs.microsoft.com/en-us/graph/sdks/create-client?tabs=CS