Outlook Add-in `Application permission` SSO Auth

Cured Chestnut 0 Reputation points
2024-11-12T05:47:58.9933333+00:00

Background: I want to use .net core (without front-end) to access the mails in the mailbox of a third-party individual user(It may be an office account or a personal account). I don't know if this idea is feasible,

I followed the steps below and made some attempts:

Invite Third-Party Email to Become an Organization User:

Register an Application: Follow the steps provided in the link https://learn.microsoft.com/en-us/samples/officedev/pnp-officeaddins/outlook-add-in-sso-naa/ to register application in Azure Active Directory.

Configure API Permissions: In the Azure portal, navigate to the API permissions section and configure Application permissions[User.Read.All, Mail.Read].

Use MSAL to log in and getAccessToken and requested the user profile API

But in the end I didn't get the results I expected,

I want to know if my idea is feasible? If it works, what is the problem?

Outlook
Outlook
A family of Microsoft email and calendar products.
4,166 questions
ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,677 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Tiny Wang-MSFT 2,821 Reputation points Microsoft Vendor
    2024-11-12T06:20:56.5733333+00:00

    Hi Cured, I'm sorry that I'm afraid it's not feasible to achieve your goal as the emails are from 3rd party individual user. The application you registered in Azure AD and granted Mail read permission could help you read the mails of a user who is in your tenant and the user's assigned mail license.

    Let's see a common scenario. Assuming I have an email account TinyTest@outlook.com , then you invite me to join your tenant, so you use the invite-user feature in Azure AD. Next I will receive an invitation email in my mail account. After I accept the invitation, you will see a new user created in your tenant which account should in format TinyTest_outlook.com#EXT#@yourtenantname.onmicrosoft.com. I can still use the outlook account to sign in Azure portal, but the account I used is the @tenantname.onmicrosoft.com account indeed. My account in your tenant doesn't have email ability until you purchase an M365 license and assign it to my account, then the @tenantname.onmicrosoft.com account can be used to send and receive emails, and the emails the Azure AD application could query are those from the @tenantname.onmicrosoft.com account. Microsoft can't query out the emails for my outlook account all the time. Let's raise another example, assuming you establish an SMPT server with your custom email service, and one day you used your custom mail account to register in Azure, and I trust Microsoft is not able to get the data stored in your SMPT server without your permission, right? But what you have done now is only granting Azure AD to have email read permission, but not related to your own server.


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,
    Tiny

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.