question

GranvilleRex-1078 avatar image
0 Votes"
GranvilleRex-1078 asked ·

OAuth 2.0 - Authenticating Outlook Account in Azure AD

I am testing 2-legged OAuth 2.0 integration for POP3 in a desktop application. The app has a service component that sends and receives emails from a single account in the background.

I set up a @outlook.com account to test with, and started a trial for Azure using this account.

I'm not very clear on the relationship between the Outlook account and the Azure tenant though. If I provide my app "Mail.Send" permission for the Graph API (or "full_access_as_app" for the Exchange API) and request a token, can I use that token to authenticate the @outlook account?

The outlook account shows up as a User on the Azure directory. Is that sufficient to grant my app access to the account via the Graph API?

Any info on this would be greatly appreciated! Please let me know if there is a better way to set up this testing.

EDIT:

I thought I'd post the tokens I'm getting back from both endpoints. I receive a "protocol error" when I try to authenticate on either the outlook.office365.com or pop3.live.com servers using these tokens. Which is why I wanted to make sure it's possible to authenticate an outlook account using one of the above APIs.

I've also tried registering for an Exchange Online trial with the same outlook account and testing with the Exchange email address. I receive the exact same "protocol error"

Graph Endpoint:

 {
 "aud": "https://graph.microsoft.com",
 "iss": "https://sts.windows.net/04669076-130f-49aa-b6b8-171a9e74b324/",
 "iat": 1585688162,
 "nbf": 1585688162,
 "exp": 1585692062,
 "aio": "42cAAh59R94bYs4Je0Kn290+uwUA",
 "app_displayname": "Remindex",
 "appid": "ad2ead7c-edb9-476f-8209-ecb29e1b7355",
 "appidacr": "1",
 "idp": "https://sts.windows.net/04669076-130f-49aa-b6b8-171a9e74b324/",
 "oid": "0f7a5174-fcce-4752-ae07-ba8e64de467f",
 "roles": [
 "Mail.ReadWrite",
 "Mail.Send"
 ],
 "sub": "0f7a5174-fcce-4752-ae07-ba8e64de467f",
 "tid": "04669076-130f-49aa-b6b8-171a9e74b324",
 "uti": "gpIYvaSYikuDnd6CFQAnAA",
 "ver": "1.0",
 "xms_tcdt": 1585156686
 }


Exchange Endpoint:

 {
 "aud": "https://outlook.office365.com",
 "iss": "https://sts.windows.net/04669076-130f-49aa-b6b8-171a9e74b324/",
 "iat": 1585688002,
 "nbf": 1585688002,
 "exp": 1585691902,
 "aio": "42dgYNjxvn/mtBN+7zm3/vu4L0yyAgA=",
 "app_displayname": "Remindex",
 "appid": "ad2ead7c-edb9-476f-8209-ecb29e1b7355",
 "appidacr": "1",
 "idp": "https://sts.windows.net/04669076-130f-49aa-b6b8-171a9e74b324/",
 "oid": "0f7a5174-fcce-4752-ae07-ba8e64de467f",
 "roles": [
 "full_access_as_app",
 "Mail.ReadWrite",
 "MailboxSettings.ReadWrite",
 "Mail.Read",
 "Mail.Send",
 "MailboxSettings.Read"
 ],
 "sid": "f4596631-bebc-4308-8b46-8ea14b842739",
 "sub": "0f7a5174-fcce-4752-ae07-ba8e64de467f",
 "tid": "04669076-130f-49aa-b6b8-171a9e74b324",
 "uti": "0lyqmDTwPEqSeXwQYHUlAA",
 "ver": "1.0"
 }

Please let me know of any additional information that would be helpful to include



azure-active-directory
· 2
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Remember every step you take exploring Azure and when finished take the proper steps to cancelling out the Outlook account you are testing have fun😀

0 Votes 0 ·
GranvilleRex-1078 avatar image GranvilleRex-1078 microsoftgov1834mrssmith-1627 ·

Will do, thanks!

0 Votes 0 ·

1 Answer

soumi-MSFT avatar image
1 Vote"
soumi-MSFT answered ·

@GranvilleRex-1078, You can very well use the outlook.com account, using it it means the user has given a valid email id and using that email id an Azure Subscription/Azure Licenses have been purchased. This outlook.com account is saved in the tenant's directory (i.e Azure AD) to maintain its identity for the respective tenant and also, Azure considers that user id to be of the highest grade admin for the tenant, like a Global Admin or Service Admin. You can update that anytime you want, but initially during the tenant creation this is what happens.

Now coming to the second part of the query, if you provide you app with "Mail.Send" permission for the Graph API (or "full_access_as_app" for the Exchange API) and request a token, can you use that token to authenticate the @outlook account?

Now it depends what kind of permissions are given provided. To start with there are two types of Permission Set for every 1st party api i.e Application permissions(used when an application is trying to access the api) and Delegated Permissions(used when an user tries to access an api using the application, in other words the application tries to get the api response on behalf of the user). More info on this can be found here.

in case you want to get an access token for your user with Outlook.com user id, you would have to set the delegated permissions and then request for a token. Once you get the access token and decode it, you should see the "aud" [audience] is set as https://graph.microsoft.com and in the "scp" [scopes] you permissions for the api would be listed.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.








· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the response! Glad to hear this scenario is possible

I should have made it clearer in my question that I'm trying to set up 2-legged OAuth, so I think the Application permissions are what I'm after.

I'm able to receive valid tokens from both endpoints, but I've so far been unable to successfully authenticate on the outlook account using either token. Which is why I wanted to make sure it is possible to authenticate an outlook account with one of those APIs. I've added the token responses to my original question - let me know if you're able to provide any additional info!

0 Votes 0 ·