In 365 Activities, how to restrict Azure Application Permissions to specific mailbox ?
Issue Description: When configuring the Microsoft 365 Outlook Activities, in some cases, delegated permissions do not work when using Windows Authentication. Most common error would be 'Get Mail: 401 Unauthorized'
Resolution:This implies that the organization is using Azure Active directory with managed users and not with federated users. Windows Auth with managed users is not supported with Windows Authentication (this is a windows restriction, not a UiPath restriction).
If this error is encountered, use
- 'Username and Password' authentication or
- grant the Application ID, mailbox permissions and use 'Application ID and Secret' flow.
Restrict Azure Application Permissions to specific mailbox
- It can be done by following the instructions from Limiting Application Permissions to specific Exchange Online Mailboxes
- After this has done, make sure that the Application ID has Application permissions set that allow for the reading and sending of mail as mentioned in Office 365 Setup .
Azure Graph API Background
Azure Graph API offers two ways of defining application permissions in Azure. One is delegated permissions and the other is application permissions.- Delegated requires a user to present their credentials along with the application ID. This allows the Application ID to acquire the exact same permissions and access rights as the user that present their credentials. Often times this is the preferred method, however, it is not compatible with windows Auth when Azure Active directory is used with managed users.
- The other option is Application Permissions. By default, these permissions give the Application ID permission to everything and in most cases, it is better to add additional restrictions around what can be accessed.