Azure App registration permissions assigned in a multi tenant app

Question

Hello,

I have an app registration in tenant 1 that has the following permissions:

The app regisstration is multi tenant.

When i grant consent (through my own app that uses this application) for tenant 2, not all permissions are assigned

As you can see Mail.Sent is not assigned.

If i use the following URL: https://login.microsoftonline.com/organizations/v2.0/adminconsent%20?client_id=xxxx&scope=https://graph.microsoft.com/User.Read%20https://graph.microsoft.com/Mail.Send

I am getting one step forward:

But as you can see the Mail.Send permission is delegated and not application.

When i use the following code i get an access denied. What i'm i missing?

 var scopes = new[] { "https://graph.microsoft.com/.default" };
                var credentials = new ClientSecretCredential(
                    _configuration[
                        Constants.AuthenticationConstants.ExternalLoginProviders.AzureAD.TenantId],
                    _configuration[
                        Constants.AuthenticationConstants.ExternalLoginProviders.AzureAD.ClientIdConfigKey],
                    _configuration[
                        Constants.AuthenticationConstants.ExternalLoginProviders.AzureAD.ClientSecretConfigKey], new TokenCredentialOptions { AuthorityHost = AzureAuthorityHosts.AzurePublicCloud });
                _graphServiceClient = new GraphServiceClient(credentials, scopes);


var requestBody = new SendMailPostRequestBody
                {
                    Message = new Message
                    {
                        Subject = subject,
                        Body = new ItemBody
                        {
                            ContentType = BodyType.Html,
                            Content = body
                        },
                        ToRecipients = new List<Recipient>
                        {
                            new() {EmailAddress = new EmailAddress {Address = toAddress}}
                        }
                    }
                };

                var sendMailRequestBuilder = _graphServiceClient?
                    .Users[fromAddress].SendMail;


                if (sendMailRequestBuilder != null)
                    await sendMailRequestBuilder.PostAsync(requestBody);

Answer 1

Hi @Liviu Dumitrescu

Since you're calling the /users/{user id} endpoint to send mail on behalf of another user, you need application permissions and not delegated permissions. The application permission requires you to statically consent to all permissions, so please delete the Dynamics 365 permission in tenant 1 first, and then re-grant the Dynamics 365 permission after the administrator of tenant 2 consents to your multi-tenant application.

https://login.microsoftonline.com/{organization}/adminconsent?client_id={client-id}

var requestBody = new Microsoft.Graph.Users.Item.SendMail.SendMailPostRequestBody
{
	Message = new Message
	{
		Subject = "Meet for lunch?",
		Body = new ItemBody
		{
			ContentType = BodyType.Text,
			Content = "The new cafeteria is open.",
		},
		ToRecipients = new List<Recipient>
		{
			new Recipient
			{
				EmailAddress = new EmailAddress
				{
					Address = "frannis@contoso.onmicrosoft.com",
				},
			},
		},
		CcRecipients = new List<Recipient>
		{
			new Recipient
			{
				EmailAddress = new EmailAddress
				{
					Address = "danas@contoso.onmicrosoft.com",
				},
			},
		},
	},
	SaveToSentItems = false,
};
await graphClient.Users["{user-id}"].SendMail.PostAsync(requestBody);

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.