Graph API with Delegated Permission
Application Type
Reactive

Hi all,

I am new with Outsystems as well as with Rest-APIs.

I am using Microsoft Login Connector for authentication and have delegated permission in Azure AD.

However, I need to send notification emails in my process flow(every 14 days), so meaning I don't have a logged in user. Is it possible to do this with my app having only delegated permissions in AD? If yes, can you point me to the right direction.


Solution

Hi Pamela,

When you log on with just client id and client secret you actually log on as the registered application. And if the application has no permissions assigned then you get the 403 Forbidden error you get.

Logging in with delegated permission means that your application is accepting a token from a permitted user.

There is - however - a way to automatically log on a user (with password). This is called resource owner password credentials flow. See an explanation of the flow here https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc along an example how to post to the endpoint to retrieve a token. Please read the Important block because there are some constraints when you can use this flow.

Best

Stefan


Hi,

potentially the Login Connector gives you the possibility to retrieve every token of a user who has logged in at least once. See the article here on how to access the cached tokens of the Login Connector https://stefan-weber.medium.com/getting-started-with-outsystems-and-microsoft-graph-123006356d41

But.... tokens expire so you cannot assure that you have a valid token in your BPT to access Graph API and it is of course not the intended way to use a personal, user issued tokens without having a user logged in.

The best way is to use application permissions. See here on how to configure an application and grant rights. https://docs.microsoft.com/en-us/graph/auth-v2-service

When giving an application the right to send mails it means that this application has the right to send emails on behalf of every user. This is most likely not intended. In addition to the Send Mail right you should also configure application access policies to only grant permission to specific resources (mailbox, calendar asf). See here for details on how to do that. https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access

Best

Stefan


Hi Stefan,

Thank you for your response.

Our IT however, does not want to grant me application permissions.

The same concern as you, it can spoof all users.

This is what IT did on their side, 

1. They have configured an app with delegated permissions

2. Created a user that can send email (IT said I can proceed to send email without authorization because it has permissions and they have disabled MFA for this user)

I was able to generate a token using client secret and ID, but whenever I send an email, I get this error:

HTTP/1.1 403 Forbidden

{

  "error": {

    "code": "ErrorAccessDenied",

    "message": "Access is denied. Check credentials and try again."

  }

}

How can I sign-in the user using just API without asking consent from user? Is this possible with an app with delegated permissions?


Solution

Hi Pamela,

When you log on with just client id and client secret you actually log on as the registered application. And if the application has no permissions assigned then you get the 403 Forbidden error you get.

Logging in with delegated permission means that your application is accepting a token from a permitted user.

There is - however - a way to automatically log on a user (with password). This is called resource owner password credentials flow. See an explanation of the flow here https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc along an example how to post to the endpoint to retrieve a token. Please read the Important block because there are some constraints when you can use this flow.

Best

Stefan


Hi Stefan,

It worked!

Thank you for your support. 

I will take note of the warning.

Best Regards,

Pamela

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.