OAuth 2.0 - Authenticating Outlook Account in Azure AD

Granville Rex 6 Reputation points
2020-03-25T20:30:04.263+00:00

I am testing 2-legged OAuth 2.0 integration for POP3 in a desktop application. The app has a service component that sends and receives emails from a single account in the background.

I set up a @harsh.com .com account to test with, and started a trial for Azure using this account.

I'm not very clear on the relationship between the Outlook account and the Azure tenant though. If I provide my app "Mail.Send" permission for the Graph API (or "full_access_as_app" for the Exchange API) and request a token, can I use that token to authenticate the @harsh.com account?

The outlook account shows up as a User on the Azure directory. Is that sufficient to grant my app access to the account via the Graph API?

Any info on this would be greatly appreciated! Please let me know if there is a better way to set up this testing.

**EDIT: **

I thought I'd post the tokens I'm getting back from both endpoints. I receive a "protocol error" when I try to authenticate on either the outlook.office365.com or pop3.live.com servers using these tokens. Which is why I wanted to make sure it's possible to authenticate an outlook account using one of the above APIs.

I've also tried registering for an Exchange Online trial with the same outlook account and testing with the Exchange email address. I receive the exact same "protocol error"

Graph Endpoint: 

{  
"aud": "https://graph.microsoft.com",  
"iss": "https://sts.windows.net/04669076-130f-49aa-b6b8-171a9e74b324/",  
"iat": 1585688162,  
"nbf": 1585688162,  
"exp": 1585692062,  
"aio": "42cAAh59R94bYs4Je0Kn290+uwUA",  
"app_displayname": "Remindex",  
"appid": "ad2ead7c-edb9-476f-8209-ecb29e1b7355",  
"appidacr": "1",  
"idp": "https://sts.windows.net/04669076-130f-49aa-b6b8-171a9e74b324/",  
"oid": "0f7a5174-fcce-4752-ae07-ba8e64de467f",  
"roles": [  
"Mail.ReadWrite",  
"Mail.Send"  
],  
"sub": "0f7a5174-fcce-4752-ae07-ba8e64de467f",  
"tid": "04669076-130f-49aa-b6b8-171a9e74b324",  
"uti": "gpIYvaSYikuDnd6CFQAnAA",  
"ver": "1.0",  
"xms_tcdt": 1585156686  
}

Exchange Endpoint: 

{  
"aud": "https://outlook.office365.com",  
"iss": "https://sts.windows.net/04669076-130f-49aa-b6b8-171a9e74b324/",  
"iat": 1585688002,  
"nbf": 1585688002,  
"exp": 1585691902,  
"aio": "42dgYNjxvn/mtBN+7zm3/vu4L0yyAgA=",  
"app_displayname": "Remindex",  
"appid": "ad2ead7c-edb9-476f-8209-ecb29e1b7355",  
"appidacr": "1",  
"idp": "https://sts.windows.net/04669076-130f-49aa-b6b8-171a9e74b324/",  
"oid": "0f7a5174-fcce-4752-ae07-ba8e64de467f",  
"roles": [  
"full_access_as_app",  
"Mail.ReadWrite",  
"MailboxSettings.ReadWrite",  
"Mail.Read",  
"Mail.Send",  
"MailboxSettings.Read"  
],  
"sid": "f4596631-bebc-4308-8b46-8ea14b842739",  
"sub": "0f7a5174-fcce-4752-ae07-ba8e64de467f",  
"tid": "04669076-130f-49aa-b6b8-171a9e74b324",  
"uti": "0lyqmDTwPEqSeXwQYHUlAA",  
"ver": "1.0"  
}

Please let me know of any additional information that would be helpful to include

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,451 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-03-27T09:46:09.14+00:00

    @Granville Rex , You can very well use the outlook.com account, using it it means the user has given a valid email id and using that email id an Azure Subscription/Azure Licenses have been purchased. This outlook.com account is saved in the tenant's directory (i.e Azure AD) to maintain its identity for the respective tenant and also, Azure considers that user id to be of the highest grade admin for the tenant, like a Global Admin or Service Admin. You can update that anytime you want, but initially during the tenant creation this is what happens.

    Now coming to the second part of the query, if you provide you app with "Mail.Send" permission for the Graph API (or "full_access_as_app" for the Exchange API) and request a token, can you use that token to authenticate the @harsh.com account?

    Now it depends what kind of permissions are given provided. To start with there are two types of Permission Set for every 1st party api i.e Application permissions(used when an application is trying to access the api) and Delegated Permissions(used when an user tries to access an api using the application, in other words the application tries to get the api response on behalf of the user). More info on this can be found here.

    in case you want to get an access token for your user with Outlook.com user id, you would have to set the delegated permissions and then request for a token. Once you get the access token and decode it, you should see the "aud" [audience] is set as https://graph.microsoft.com and in the "scp" [scopes] you permissions for the api would be listed.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    1 person found this answer helpful.