MS Graph API and Azure AD App Registration – Daemon App - Access Email Inbox for Single User Account (Service Account) Without Requiring Global Application Permissions – Need Guidance

Josh Yarbrough 1 Reputation point
2021-07-14T15:45:26.303+00:00

Background:

I have a service account that has its own O365 email inbox. I have a legacy console app that currently attaches via IMAP but want to upgrade this to use MS Graph API and Azure.Identity. The app currently logs in as the service account and reads mail in the inbox searching for pdf attachments, and if one matches the criteria, prints it automatically.

In reading, it would seem that since this is a service account, running as a scheduled task on a server and thus not available to the public, that I should use a confidential client app registration to access the mailbox. Note that my institution will not agree to authorize this app registration to have “Application Permissions” (as a Daemon app) since it would allow this application to access ALL email inboxes in the tenant/institution.

Because of not being able to get Application Permissions granted to my app, I dropped back to the belief that I should also be able to simply use a Public Client, using the UsernamePasswordCredential of Azure.Identity package to accomplish the same thing, but only be logged in as the single user. When I use the InteractiveUserCredential, I can authenticate and am able to access the email messages via Graph API without issue. However, when I attempt to pass the username and password via the UsernamePasswordCredential, I get the following error.


Microsoft.Graph.ServiceException: Code: generalException
Message: An error occurred sending the request.
---> Azure.Identity.AuthenticationFailedException: UsernamePasswordCredential authentication failed: AADSTS7500514: A supported type of SAML response was not found. The supported response types are 'Response' (in XML namespace 'urn:oasis:names:tc:SAML:2.0:protocol') or 'Assertion' (in XML namespace 'urn:oasis:names:tc:SAML:2.0:assertion').
Trace ID: e7a9f081-7266-4804-a1bc-ed2587de1503
Correlation ID: 6dde793b-4cf1-4a3c-abce-4fb2fa5f75fe
Timestamp: 2021-07-07 20:08:22Z ---> Microsoft.Identity.Client.MsalServiceException: AADSTS7500514: A supported type of SAML response was not found. The supported response types are 'Response' (in XML namespace 'urn:oasis:names:tc:SAML:2.0:protocol') or 'Assertion' (in XML namespace 'urn:oasis:names:tc:SAML:2.0:assertion').
Trace ID: e7a9f081-7266-4804-a1bc-ed2587de1503
Correlation ID: 6dde793b-4cf1-4a3c-abce-4fb2fa5f75fe
Timestamp: 2021-07-07 20:08:22Z
at Microsoft.Identity.Client.OAuth2.OAuth2Client.ThrowServerException(HttpResponse response, RequestContext requestContext)
at Microsoft.Identity.Client.OAuth2.OAuth2Client.CreateResponse[T](HttpResponse response, RequestContext requestContext)
at Microsoft.Identity.Client.OAuth2.OAuth2Client.<ExecuteRequestAsync>d__11`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---


I have read that MFA, if applied to an account, could generate this error – however, I am unsure how to determine if MFA is truly applied to this account. (When logging in interactively, I’ve never been prompted for MFA, but with my personal account at our institution, it seems to depend on what resources I’m hitting before it asks for MFA as well).

Actual Request:

I would appreciate if someone could point me to a way to use the Confidential Client to access the email inbox of a single known user account without requiring any global “Application Permissions” from my institution (can the App registration ALWAYS authenticate as if it were a single specific service account?)

– OR –

Help me understand why the public client using UsernamePasswordCredential produces the error and how to resolve that.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,795 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 106.2K Reputation points MVP
    2021-07-14T17:54:34.57+00:00

    You can limit application permissions to specific mailbox(es) as detailed here: https://practical365.com/application-access-policies-in-exchange-online/
    And by you I mean an admin within your organization :)

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.