Decrypting an encrypted office 365 email from MS 365 Personal account using MIP SDK

1
votes

I have followed the link Decrypting an encrypted office 365 email using MIP SDK using MIP SDK(1.6.113) to decrypt an rpmsg successfully when the users and application are in the same Azure AD environment. If I try to decrypt an rpmsg that was sent from an MS 365 Personal account, I am not able to decrypt.

The AcquireToken code gets called twice. The first call to acquire token, when calling AddEngineAsync, has the incoming parms:

identity = Microsoft.InformationProtection.Identity
authority = "https://login.windows.net/common"
resource = "https://syncservice.o365syncservice.com/"
claim = ""

The second call to acquire token, when calling CreateFileHandlerAsync, has the incoming parms:

identity = Microsoft.InformationProtection.Identity
authority = "https://login.windows.net/54485d23-c432-40fe-8436-6091d627118c"
resource = "https://aadrm.com"
claim = ""

Then the code gives me the following exception:

System.AggregateException
HResult=0x80131500
Message=One or more errors occurred.
Source=mscorlib

StackTrace:
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at System.Threading.Tasks.Task`1.get_Result()
at MipSdkDotNetQuickstart.Action.CreateFileHandler(FileOptions options) in C:\MyGitHub\MipSdk-Dotnet-File-ServicePrincipalAuth-master\mip-sdk-dotnet-file-SPA\Action.cs:line 179
at MipSdkDotNetQuickstart.Action.RemoveProtection(FileOptions options) in C:\MyGitHub\MipSdk-Dotnet-File-ServicePrincipalAuth-master\mip-sdk-dotnet-file-SPA\Action.cs:line 212
at MipSdkDotNetQuickstart.Program.Main(String[] args) in C:\MyGitHub\MipSdk-Dotnet-File-ServicePrincipalAuth-master\mip-sdk-dotnet-file-SPA\Program.cs:line 111

This exception was originally thrown at this call stack:
[External Code]
MipSdkDotNetQuickstart.Action.CreateFileHandler.AnonymousMethod__0() in Action.cs

Inner Exception 1:
AccessDeniedException: The service didn't accept the auth token. Challenge:['Bearer resource="https://aadrm.com", realm="54485d23-c432-40fe-8436-6091d627118c", authorization="https://login.windows.net/54485d23-c432-40fe-8436-6091d627118c/oauth2/authorize"'], CorrelationId=f63bb5f6-009f-4b9f-a4b7-621df958845b, CorrelationId.Description=FileEngine

What could be the problem here?

Thanks

1
c#azureoffice365exchangewebservicesmicrosoft-information-protection
It seems like the problem is your auth token, sending an invalid one or expired, from your error log > The service didn't accept the auth token.abestrad
I am acquiring the token in the code so it is fresh. What is interesting is that if I use the ADAL with this, the second acquire token brings up a signon to authorize against a Contoso Demo. So, I assume that login.windows.net/54485d23-c432-40fe-8436-6091d627118c/oauth2/… is a Contoso Demo application. How could this happen?gjm222

1 Answers

1
votes

if you are getting the token with MSAL

  • when AcquireToken is called with resource "https://syncservice.o365syncservice.com/" you must call app.AcquireTokenSilent(new[]{ "https://psor.o365syncservice.com/UnifiedPolicy.User.Read" }, firstAccount).ExecuteAsync();

  • when AcquireToken is called with resource "https://aadrm.com" you must call app.AcquireTokenSilent(new[]{ "https://aadrm.com/user_impersonation" }, firstAccount).ExecuteAsync();