You cannot send messages as external user, or any user that does not actually have an Exchange Online mailbox (within your own tenant). The only way around this would be to have the external user (or an admin from his organization) consent to your app, thus add it to their own tenant and grant the relevant permissions. A mailbox will still be required.
Azure AD External Users invoking Graph API Mail.Send throws error
Hello,
We have a custom application written in C# on ASP.NET 6 (MVC), and we're use the Microsoft.Identity.Web nuget package to integrate with Azure. We have an Azure App Registration configured to for Multitenant usage, with scopes granted to Mail.Send and User.Read.
We're attempting to authenticate via the OpenID Connect flow, and use the resulting access token to invoke the Microsoft Graph API's Mail.Send method as the authorized user. Thus far, this works perfectly fine for users with email accounts within our Active Directory; we authenticate and send emails. And, the sent emails appear in the Sent folder in Outlook 365.
When we add an external user that is not in our Azure Active Directory, we are also able to authenticate as before. However, invoking the Mail.Send method is causing Microsoft.Identity.Web to throw an exception. We get the following message and stack trace in our logs:
**Microsoft.Graph.ServiceException:Code: AuthOMMissingRequiredPermissions
Message: The AadGuestPft token doesn't contain the permissions required by the target API.
Inner error:
AdditionalData:
oAuthEventOperationId: 723a4bce-038f-488d-b4c2-154cb6bc0ebc
oAuthEventcV: bf0+XhEUrdudTpKNYSlpvA.1.1
errorUrl: https://aka.ms/autherrors#error-InvalidGrant
requestId: 51953158-d659-4db0-87e1-82128ab0d6f5
date: 2022-11-30T16:56:09
ClientRequestId: 51953158-d659-4db0-87e1-82128ab0d6f5
at Microsoft.Graph.HttpProvider.SendAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)
at Microsoft.Graph.BaseRequest.SendRequestAsync(Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)
at Microsoft.Graph.BaseRequest.SendAsync(Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)
**
Thus far, I've been unable to find anything conclusive via web searches. Strangely enough, viewing the errorUrl requires authentication to the tenant "Microsoft", and is thus inaccessible, blocked by an error message.
I've concluded that my approach may be doomed to fail from the start. The OpenID Connect authentication flow issues an access token to Internal, and External Users alike. However, the access token can only be used for invoking Microsoft Graph API methods under our Azure Active Directory.
Unless I'm mistaken, there is no way to invoke Mail.Send on an External User's Microsoft Graph API, without creating an App Registration under their Azure Tenant, and authenticating against that App Registration, with its Tenant Id, Client Id and Client Secret on the back end. But, for this to work, we would need that App Registration's registered under Microsoft.Identity.Web.
Is my reasoning about all of this correct? Is there a way to configure Microsoft.Identity.Web for multiple Azure Registrations under separate Azure Tenants?
Thank you,
Aleks