WELCOME TO THE COMMUNITY
find what you are looking for or ask a new question
Home > Knowledge Base > General > Mail configuration through Graph

Mail configuration through Graph

20.12.2022

0

0
General
#Exchange # Online # Server type # permissions # Graph # Microsoft # HotMailBox # MailApproval

Introduction

This article aims to compile a list of minimum permissions for Microsoft Graph applications that will be used for handling four mailbox-related features available in WEBCON BPS.

  • E-mail notifications
  • Administrative notifications
  • HotMailBoxes
  • MailApproval

 

Each of these features can be configured to use Server type: Exchange Online - Microsoft Graph which allows them to work (as the name implies) in the context of Exchange Online via Microsoft Graph.

 

Application creation in Microsoft Azure

Each feature requires an application registered in Microsoft Azure, that will be used to facilitate communication between WEBCON BPS and Exchange Online.

 

Register an application in Microsoft Azure and name it.

It will be assigned a Tenant ID and Application ID.

Next, in the Certificates & secrets generate and keep the Client secret.

You will need all three of these elements in the E-mail settings configuration, so be sure to hold onto them, especially the Client secret.

This part of the configuration will be the same for each of the four features.
 

 

All operations related to sending and receiving e-mails from Exchange Online are handled with Microsoft Graph API in the context of the application.

Therefore, the Microsoft Azure application should be assigned the correct Application Permissions.

These permissions will be different depending on which feature the application will be created for. Depending on the context, this will involve sending, receiving, or deleting messages.

 

The table below compiles the minimum permissions that an application will need in order for the feature using it to work correctly.

Feature

Minimum Permissions

Sending E-mail notifications

Mail.Send

Sending Administrative Notifications

Mail.Send (for custom outbox settings)

Processing e-mails with HotMailBoxes

Mail.ReadWrite

Sending and receiving MailApproval messages

Mail.ReadWrite (for custom inbox parameters)

Mail.Send (for custom outbox settings)

 

It is a good practice for each feature to have its own application with a dedicated account for sending or receiving e-mails.

It is also a good practice for each application to have only the bare minimum permissions for its intended task.

 

In the API permissions section, add the necessary permissions for the feature that will use the application.

 

 

The admin must grant consent in order to fully apply the permissions.

 

Account for sending and receiving e-mails

Both sending and receiving e-mails require a specified account, that the given system feature will use.

In the case of features that send e-mails (System notifications, Administrative notifications), they should use a standard (preferably dedicated) mailbox.

For features that receive and process e-mail messages (HotMailBox, MailApproval), instead of a standard mailbox, you may also use a Shared Mailbox.

 

Limiting access to a mailbox

Granting Mail.Send and Mail.ReadWrite permissions to an application will give it access to all mailboxes in an organization. Due to security concerns, we prefer to avoid this and limit the permissions to specific mailboxes.

To achieve this we create a security group of the Mail-enabled security type and then use it to configure an adequate ApplicationAccessPolicy.

The full description of how to configure an ApplicationAccessPolicy can be found here:

https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access

 

Note: Please keep in mind that any changes made to the ApplicationAccessPolicy can take over an hour to propagate completely. Even if the test command (Test-ApplicationAccessPolicy) is successful, the actual granting of permissions may be delayed.

 

Summary

Microsoft 365 cloud solutions are a popular alternative to on-prem solutions, and Exchange Online is their standard element responsible for communication and the event calendar. WEBCON BPS is able to easily communicate with Microsoft products through the use of the Graph interface, which allows us access to the Microsoft 365 infrastructure.

 

In this article, we covered four standard mailbox features existing in WEBCON BPS that can operate based on Exchange Online – after being correctly configured in Graph and WEBCON BPS.

Please keep in mind the good practices for creating Graph applications mentioned in this article:

  • Each feature (e.g. HotMailBox, MailApproval) should have its own separate Graph application.
  • Graph applications should have the minimum possible level of permissions to handle their respective feature.
  • If possible, Mail.Send and Mail.ReadWrite permissions should be limited to chosen mailboxes with the ApplicationAccessPolicy.
  • Don’t lose the Client secret!

Comments (0)

Login to add comment
Login
No comments yet
Menu
Czerwone Maki 87
30-392 Krakow, Poland
office@webcon.com
+48 12 443 13 90