Microsoft missed scope validation on their side while sending an email

Dmytro Maliuta 0 Reputation points
2024-05-21T12:46:59.2633333+00:00

Hi! When you send a request to https://graph.microsoft.com/v1.0/me/sendMail and try to create and send an email, you can do it without the "Mail.Send" and "Mail.ReadWrite" scopes. When your access token doesn't have these permissions, it will create and send a message without these scopes, which can be a security issue.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,150 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Azizkhon Ishankhonov 355 Reputation points
    2024-05-21T13:21:41.9966667+00:00

    Hi

    I tried with two accounts and two different Entra applications.

    The first one was without MFA and previously used by the registered application and API permission was granted. Yes, it gives all consent granted before even if permission was deleted.

    The second account has not been used before by a registered application(same app as 1st) and the token does not contain extra scopes.

    The third test case was a new application on Entra with an account without MFA. When I tried to get the token "openid" scope(which by default was granted) it required admin consent to use this application.

    Overall, I can say that it might be a cache or misconfiguration. You can try later will it permits you even after deletion or admin consent for this application should be revoked.