Please enable JavaScript to view this site.

iService User Guide

Navigation: Settings Menu > Segment Level Settings > Mailboxes

Creating a Microsoft Graph API Application

Scroll Prev Top Next More

external-apis-graphapi-logoMicrosoft Graph API works differently from other email protocols in iService. You will create an application in your Azure tenant that defines the scope of the application and its access rights. You will then save the authentication details in the External APIs page rather than the mailbox configuration. All mailboxes will use the same credentials that you create and save in the External APIs page. This is different from using POP and SMTP, where you enter the password directly into the mailbox configurations page.

 

This chapter provides guidance for creating your iService Application within Azure.

 

Create your application

After you log into Azure, navigate to Applications and click New Application.

 

graphAPISetup1

 

Enter a name that others will recognize, like iService. Set the scope of the application so it limits access to account in this organizational directory. You do not need to enter a value for the Redirect URI.

 

graphAPISetup2

 

When you save your app, navigate to API Permissions.

 

graphAPISetup3

 

Click Add a permission and then select Application Permissions.

 

graphapisetup4_zoom50

 

Your application should only have the two permissions shown below (Mail.ReadWrite and Mail.Send).

 

graphAPISetup5

 

After you add the permissions, you must Grant Admin Consent for the permissions. Click on Grant admin consent to open the dialog box and the select Yes.

 

graphapisetup6_zoom75

 

 

After you grant admin consent, the status will turn green.

 

graphAPISetup7

 

To obtain your secret key for the application, click on Certificates and Secrets and then Client Secrets. Then click on New Client Secret to create the secret.

 

graphAPISetup8

 

 

Enter a short description for the secret and then select the expiration period. Be sure to note the date the secret expires and create a new one before the expiration date.

 

graphapisetup9_zoom50

 

After you configure the secret key and set the expiration, the key will be displayed.

 

graphapisetup10_zoom50

 

To get the other two values, load the Overview page.

 

graphapisetup11_zoom50

 

Locking Down The Application

After you create your application, you should setup the proper restrictions to limit the access of the credentials you create to only the associated mailboxes. This is a separate step from creating the application in the process described above.

 

The steps are roughly as shown below.

 

1.Create a new app registration in the Azure directory for iService to use. In the app registration settings:

oIn the app registration API permissions page, assign this app the proper permissions- I think Mail.Read and Mail.Send would be all that's needed, but this will ultimately depend on how we implement it I guess. Then grant admin consent for these permissions.

oIn the certificates and secrets page, generate the secret key for to later plug in to the iService app

2.Define a "Mail-Enabled Security Group" in the directory and add then add the mailboxes they want us to have access to, to that group. For the example below, this group is called iservice@mydomain.com

3.Create an application access control policy that restricts the app created in step 1 to only have access to the mailboxes in the mail-enabled security group created in step 2:

New-ApplicationAccessPolicy -AppId <your-app-id> -PolicyScopeGroupId iservice@mydomain.com -AccessRight RestrictAccess -Description "Restrict iService app to mailboxes in the iService security group."

4.Create the mailbox in iService tied to the Azure app created in step 1, including the app id, secret key, etc. Ideally we'll have this part abstracted out in the iService admin panel by then though so that you can just define it once there, then reference in a dropdown when creating each iService mailbox.

 

The Microsoft documentation for this step can be found at https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access.

 

© 2008 - 2024 One-to-One Service.com, Inc. All rights reserved.