qxsch/ms-graph-sendmail

Send mail as an application for a user mailbox

Microsoft Graph Send Mail

Send mail as an application for a user mailbox

• There is a java and a python demo (you can choose)

Setup

Setting up the application

1. Open Azure Active Directory in the Azure Portal
2. Click on App Registrations
3. Add a new App Registration by clicking on New Registration
   1. Give it a name (f.e. graphsendmail)
   2. Select Accounts in this organizational directory only (Single tenant)
   3. Click on register
4. You should now see your App Registration (if not please go to app registrations and then select it by name)
5. ?????? Allow public client flows ??????
6. Memorize the Application (client) ID
7. Go to Certificates & secrets and add a New client secret
8. Memorize the client secret
9. Go to API permissions and click on Add a permission
   1. Click on Microsoft Graph
   2. Click on Application permissions
   3. Select Mail.Send
   4. Click on Add permissions
10. Click on Grant Admin Consent
    (This will give the application access to send mails on behalf of all users, that we will limit later to specific mailboxes.)
11. Configure an applcation (choose either java or python)
    • For Java add client id, client secret and a mailbox upn to the application.properties file
    • For Python add to the python config.py file

Limiting access to specific mailboxes (optional)

1. Go to Exchange Admin Center
2. Click on Groups (Under Recipients)
3. Click on Add a group
   1. Select Mail-enabled security and click on Next
   2. Give it a name (f.e. graphsendmailgroup) and click on Next
   3. Add an owner
   4. Add here the mailboxes as members, that you would like to use with your applicaton.
   5. Use the name as group mail address and memorize the mail address of the group
   6. Click on Create
4. Run the following script to create an application policy

   # connect to exchange online
   Connect-ExchangeOnline
   # add a new application policy (take the memorized data)
   New-ApplicationAccessPolicy -AppId ClientAppId -PolicyScopeGroupId mailEnabledSecurityGroupName@domain -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group EvenUsers."
   # test if the application can use a mailbox (that is member of the group)
   Test-ApplicationAccessPolicy -Identity mailbox@domain -AppId ClientAppId

Run Demo

1. Go into the directory of the application (choose either java or python)
   • For Java go to java directory
   • For Python go to python directory