Microsoft Graph API works differently from other email protocols in iService. You will create an application in your Azure tenant that defines the scope of the application and its access rights. You will then save the authentication details in the External APIs page rather than the mailbox configuration. All mailboxes will use the same credentials that you create and save in the External APIs page. This is different from using POP and SMTP, where you enter the password directly into the mailbox configurations page.
This chapter provides guidance for creating your iService Application within Azure.
Create your application
After you log into Azure, navigate to Applications and click New Application.
Enter a name that others will recognize, like iService. Set the scope of the application so it limits access to account in this organizational directory. You do not need to enter a value for the Redirect URI.
When you save your app, navigate to API Permissions.
Click Add a permission and then select Application Permissions.
Your application should only have the two permissions shown below (Mail.ReadWrite and Mail.Send).
After you add the permissions, you must Grant Admin Consent for the permissions. Click on Grant admin consent to open the dialog box and the select Yes.
After you grant admin consent, the status will turn green.
To obtain your secret key for the application, click on Certificates and Secrets and then Client Secrets. Then click on New Client Secret to create the secret.
Enter a short description for the secret and then select the expiration period. Be sure to note the date the secret expires and create a new one before the expiration date.
After you configure the secret key and set the expiration, the key will be displayed.
To get the other two values, load the Overview page.
Locking Down The Application
After you create your application, you should setup the proper restrictions to limit the access of the credentials you create to only the associated mailboxes. This is a separate step from creating the application in the process described above.
The steps are roughly as shown below.
1.Create a new app registration in the Azure directory for iService to use. In the app registration settings:
oIn the app registration API permissions page, assign this app the proper permissions- I think Mail.Read and Mail.Send would be all that's needed, but this will ultimately depend on how we implement it I guess. Then grant admin consent for these permissions.
oIn the certificates and secrets page, generate the secret key for to later plug in to the iService app
2.Define a "Mail-Enabled Security Group" in the directory and add then add the mailboxes they want us to have access to, to that group. For the example below, this group is called iservice@mydomain.com
3.Create an application access control policy that restricts the app created in step 1 to only have access to the mailboxes in the mail-enabled security group created in step 2:
New-ApplicationAccessPolicy -AppId <your-app-id> -PolicyScopeGroupId iservice@mydomain.com -AccessRight RestrictAccess -Description "Restrict iService app to mailboxes in the iService security group."
4.Create the mailbox in iService tied to the Azure app created in step 1, including the app id, secret key, etc. Ideally we'll have this part abstracted out in the iService admin panel by then though so that you can just define it once there, then reference in a dropdown when creating each iService mailbox.
The Microsoft documentation for this step can be found at https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access.
