Currently I have used GMail API (OAuth Credential for Web) to read and send email messages. How can we send email on behalf of another user (i.e. noreply#example.com)?
In enterprise application, do we need to use service account for reading specific user's mail labels, messages and send email on behalf of that user?
Solution
Indeed you CAN send and read the mailbox of other user's in your domain with the Gmail API using a service account with domain wide delegation.
You will need to grant the service account with the Project Role of Owner using the domain wide authorization.
Apart from the official documentation linked above, here is a tutorial on how to send emails on behalf of other users using service accounts. To read from their mailbox you would follow the same process. Here is more information on mail delegation in case you are interested.
NOTE : in order to do this your service account must be in the same domain as the user's email you are trying to send and read messages from.
I hope this has helped you. Let me know if you need anything else or if you did not understood something. :)
Related
I have a Windows Service which currently sends emails of office 365 users using their email and password via the older smtp method.
Microsoft is turning this ability off very soon.
Currently I use mailkit and c# within a windows service
The only details I have are the users smtp username and password
My app has no user interaction ability as it runs on another box
I have read many ways about how to send email with oauth2 and ms and it seems a lot of people do it differently, and their is no clear path. I have seen such as using ms azure registered applications and different azure library's.
So my question is, what is the easiest route to take regarding a new non user inactive service being able to still send email on behalf of a user.
Most of the users I deal with are not able to setup up azure and it's products as their are small companies with limited it support.
I feel like I have perhaps gone down the wrong path of trying to use azure graph
So what is the correct, most similar to smtp and simple route to recreate a simple email sending windows service using c#
Thank you for your time in reading this
As far as I know Microsoft usually recommends the use of the GraphApi for this stuff.
The preferred way would be to use delegated permissions, i.e. your application has the permission to send an email in the name of the logged in user. If I understood you correctly that is not an option for you because you want to send the mails from a non-interactive background service.
That means that you application itself needs the permission to send an email in any users name. Obviously this is a much broader permission and you should think about if you really want to do it this way. Also, if you are in some kind of corporate context, you might also have to involve and get consent from the data protection officer or the like.
On the technical side such a permission is called an "application permission" thus you need the Mail.Send application permission which requires admin consent i.e. not the individual users of your application decide if they what to give you permission to send mail in their name (this would be delegate permissions) but an AAD admin has to consent for all of them at once.
See https://learn.microsoft.com/en-us/graph/api/user-sendmail?view=graph-rest-1.0&tabs=http#permissions
and https://learn.microsoft.com/en-us/graph/permissions-reference#application-permissions-38
I want to have a windows service that can received unread mail from my O365 account every 3 minutes and have different action depends on Mail subject. I choose EWS managed API instead of Graph is because maybe I would use this program on Exchange Server in the future. I'm following this tutorial Authenticate an EWS application by using OAuth and I have some question about permission control, in this case I use Application permissions which run without a signed-in user present. for example, apps that run as background services or daemons and can access multiple mailboxes.
Now I can access my mailbox with the applicationID, tennatID and Client-secret. But I have to inpersonate someone within my tennat(domain) and than I can send mail by the Mail Account. My question is Is it have any permission control can set that this application only can access or inpersonate part of tennat user rather than all user within my tennat? (in Azure AD Api permission setting I only seen full_access_as_app - Allows the app to have full access via Exchange Web Services to all mailboxes without a signed-in user.) I think its not make sense if this application have permission that can impersonate ALL user of my organization, that would be a big deal if this application client-secret exposes.
Sorry for my poor English.
You can use Application access policies to scope your application so it only has access the mailboxes it needs. see https://learn.microsoft.com/en-gb/graph/auth-limit-mailbox-access.
This isn't a code specific question, but more of a general question regarding OAuth2. I maintain a system that for the past 20+ years has been able to easily connect to any SMTP enabled email server, then send an email (only requiring authentication info and a server path). This email account is always system related, and isn't specific to one user, such as support#.
With GMail and Office365 (and other major email providers) dropping support for SMTP direct sends, I have been learning OAuth2. With all the reading I've done, OAuth2 is very email server specific (or so it seems). But from a systems standpoint, I need to be able to send support email regardless of whom is logged into the system, and regardless of what email host, with no authentication popups.
Is a single solution even possible with OAuth2? Will I need to code for every email provider differently? (GMail, Office365, etc) (I can currently get an authorization token from Office 365, but it seems very specific to Office 365) I have yet to figure out how to actually send an email through Office365 with my OAuth2 token, since MailKit doesn't seem to support OAuth. Is there a single protocol that will allow me to send an OAuth2 token through any email host?
I understand how SMTP direct send has been abused for a long time, but replacing it sucks.
I have started to research how to send a mail with Microsoft Graph, but I'm not sure if my scenario is supported.
I need to send a mail at a certain time from a service for a certain user in our company.
I have an application configured in Azure that has the permission for using the Microsoft Graph to send an mail as a user, delegated or not delegated.
I know how to send a mail through the API with a logged-in user.
Is it possible to do this for a user that isn't logged in on the machine at that time or didn't provide an accestoken to my backend server ( bearer token)
Is it possible to do this for a user that isn't logged in on the machine at that time or didn't provide an accestoken to my backend server?
No, you need an access token to access the service on behalf of someone else. There is no way to circumvent that so you can perform actions as a user that hasn't authenticated against the service.
I am developing an application where in the case of an exception an email is sent to my email account automatically - the point is that I will be using my email account and each user will automatically login using my credentials - so will this cause a problem asuming I dispose the object after each sending?
I regullarly use this mechanism to get error details (in small apps, when not using Elmah or log4net :D ). Don't know which service you are using to send emails. I use Gmail (smtp.gmail.com, port 587) and my email id and password is used only to authenticate to use smtp server not log into my email account. So you don't need to worry about this.