Share via

Best practice for adding MS Graph permissions to a Function App? (For reading a users mailbox)

KovcsZoltn-3476 0 Reputation points
2024-12-10T11:44:15.4933333+00:00

The reason i need the permissions is to read a specific mailbox and send mail from that mailbox.

The only entity that would manage the mailbox is the Function App.

I have found articles from Microsoft directly and on MS Forums on how to do it, but for me it is difficult to understand the process.

The main article i have read:

https://learn.microsoft.com/en-us/graph/permissions-grant-via-msgraph?tabs=powershell&pivots=grant-application-permissions

In the MS Learn article it reads that i have to use powershell (or CLI) to run the needed commands.

For that i first have to log into MS Graph with the command: Connect-MgGraph.

This command needs specific scopes to operate properly.

For my needs i have found that the lowest privilige scope (and therefore role / permission) i can specify to successfully run these commands is:

AppRoleAssignment.ReadWrite.All, as per https://learn.microsoft.com/en-us/graph/permissions-reference#approleassignmentreadwriteall

The problem with that is, that then i have to give MS Graph full authority over my tenant with the specified permissions.

I do not want to do that if possible, for that is a scope with priviliges which are too high in my opinion.

My question to this part is:

Is there any other scope i can log in with, that would let me run the commands but give the fewest permissions (no admin / highly priviliged permissions) to MS Graph?

If there are no such roles, then i have another question.

I have read that the Connect-MgGraph command only gives access AND recieves acces to the specified scopes for the duration of the SESSION!

https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.authentication/connect-mggraph?view=graph-powershell-1.0#example-1-delegated-access-using-interactive-authentication-where-you-provide-the-scopes-that-you-require-during-your-session

Does that mean that after i use the command Disconnect-MgGraph, MS Graph will automatically lose the permissions i have consented to in my tenant?

If not how can i remove them after i am done with the role assingments?

As a last question, what would be the best practice for cases like this?

NOTE: Assignment at App Role is not an option. Using Azure Logic Apps is not an option.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,909 questions
Microsoft Security Microsoft Entra Microsoft Entra ID
Microsoft Security Microsoft Graph
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 119.5K Reputation points MVP Volunteer Moderator
    2024-12-10T17:00:18.78+00:00

    By default, (application) permissions you grant for the Graph API are tenant-wide, they cover all resources of the specified type (such as mailboxes). Different workloads have different controls that allow you to restrict this tenant-wide access, in the case of Exchange you can use the RBAC for applications feature: https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac

    In your case, if you only need read and send access to a (set of) mailbox(es), a combination of Mail.Read and Mail.Send should be the least privileged approach, which you can scope via the methods outlined in the article above *the "Application Mail.Read" and "Application Mail.Send" roles, respectively).

    All that assumes your app/function will use application permissions. For delegate permissions, permissions are by default restricted to the user you are running for. You can configure delegation via Outlook/OWA to grant read/send access to additional mailboxes, and on the Graph side of things, add the Mail.Read.Shared and Mail.Send.Shared delegate permissions.

  2. Pinaki Ghatak 5,600 Reputation points Microsoft Employee Volunteer Moderator
    2024-12-20T17:02:55.86+00:00

    Hello @KovcsZoltn-3476

    To answer your first question, there are other scopes that you can use to log in with that would give you fewer permissions than AppRoleAssignment.ReadWrite.All.

    For example, you could use Mail.ReadWrite or Mail.Send to read and send mail, respectively. You can find a list of available scopes and their descriptions in the Microsoft Graph permissions reference documentation.

    Regarding your second question, when you use the Connect-MgGraph command to log in with a specific set of scopes, MS Graph will only have access to those scopes for the duration of your session. When you use the Disconnect-MgGraph command, your session will end and MS Graph will no longer have access to those scopes.

    As for your last question, the best practice for cases like this would be to grant the least amount of permissions necessary to accomplish your task.

    You can use the Microsoft Graph permissions reference documentation to find the appropriate scopes for your needs. Additionally, you can use the principle of least privilege to ensure that you only grant the minimum permissions required for your application to function.

    I hope that this response has addressed your query and helped you overcome your challenges. If so, please mark this response as Answered. This will not only acknowledge our efforts, but also assist other community members who may be looking for similar solutions.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.