Sending email with service account from Azure automation using Graph

Bombbe 1,611 Reputation points
2024-02-01T14:40:56.4733333+00:00

Hello, Is it possible to send emails with a Service Account from Azure Runbooks without using "application permissions"? For instance, if I create an Azure AD application and assign API permissions to it as following User's image

Then I create a Service Account (e.g., SVC_SendEmails@company.com) and add it to the "Users and groups" blade for the application. Should I be able to send emails automatically with Azure Runbooks using only the Service Account's name?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,014 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 91,276 Reputation points MVP
    2024-02-01T18:03:35.8166667+00:00

    Sure, it's possible, but how do you plan to authenticate? Unless you want to use the insecure ROPC flow, authentication will need to be interactive, i.e. someone will have to type the credentials, or approve a request.

    For this reason, the usual approach is to authenticate as an app, or leverage an Azure managed identity. If you are worried about the permissions needed for such approach and their scope, you can configure additional controls on Exchange Online side to restrict access to just a given account/mailbox. Here's a sample article that details the process: https://janbakker.tech/a-love-story-about-role-based-access-control-for-applications-in-exchange-online-managed-identities-entra-id-admin-units-and-graph-api/

    0 comments No comments