search

Azure / Microsoft365R

R SDK for interacting with Microsoft 365 APIs
Other
313 stars 44 forks source link

unable to access shared mailbox with proxy access #103

Closed cndunham closed 2 years ago

cndunham commented 2 years ago

I need API access to a shared mailbox for which a service account has been created with appropriate permissions. Given a tenant, username, and password (service account) that work for my primary email account, I receive an error of "Error in process_response(res, match.arg(http_status_handler), simplify) : Forbidden (HTTP 403). Failed to complete operation. Message: Insufficient privileges to complete the operation" when running the following code that includes the shared mailbox argument.

library(Microsoft365R) mailbox = get_business_outlook(tenant = tenant, shared_mbox_email = '[my full shared account email address]', username = user, password = pwd,

auth_type = 'resource_owner' # produces error

                           # auth_type = 'proxy' # produces error
                           auth_type = 'device_code' #produces error
                           )

I wish I had more information to provide. Again, this works as advertised for my primary account, but trying to add my shared mailbox produces the error. Is there another way to authenticate for a shared mailbox for which I have proxy access?

hongooi73 commented 2 years ago

Are you able to access the shared mailbox when you login as yourself?

cndunham commented 2 years ago

I am through the browser, yes, but not using the get_business_outlook function. My IT team is stumped.

From: Hong Ooi @.> Sent: Wednesday, February 9, 2022 3:48 PM To: Azure/Microsoft365R @.> Cc: Christopher Dunham @.>; Author @.> Subject: Re: [Azure/Microsoft365R] unable to access shared mailbox with proxy access (Issue #103)

Are you able to access the shared mailbox when you login as yourself?

— Reply to this email directly, view it on GitHubhttps://github.com/Azure/Microsoft365R/issues/103#issuecomment-1034178008, or unsubscribehttps://github.com/notifications/unsubscribe-auth/APTBXMHZYX2HKKDS3FKZMQDU2LHJLANCNFSM5N4F7KYQ. You are receiving this because you authored the thread.Message ID: @.**@.>>

hongooi73 commented 2 years ago

See https://github.com/Azure/Microsoft365R/blob/master/inst/app_registration.md, you (or your admin) has to allow the shared mailbox permissions on the Microsoft365R app ID. I'm not fully knowledgeable on the AAD admin UI, but it shouldn't be too hard to do this, given the ID and the required permissions.

cndunham commented 2 years ago

I was told there is no place in our admin UI to provide permissions to an application ID. Is this a must for accessing a shared mailbox? Even when authenticating as myself I can only access my own mailbox, whereas in the same environment I can open a browser with a direct link to the shared mailbox and that works just fine.

From: Hong Ooi @.> Sent: Wednesday, February 9, 2022 4:02 PM To: Azure/Microsoft365R @.> Cc: Christopher Dunham @.>; Author @.> Subject: Re: [Azure/Microsoft365R] unable to access shared mailbox with proxy access (Issue #103)

See https://github.com/Azure/Microsoft365R/blob/master/inst/app_registration.md, you (or your admin) has to allow the shared mailbox permissions on the Microsoft365R app ID. I'm not fully knowledgeable on the AAD admin UI, but it shouldn't be too hard to do this, given the ID and the required permissions.

— Reply to this email directly, view it on GitHubhttps://github.com/Azure/Microsoft365R/issues/103#issuecomment-1034188885, or unsubscribehttps://github.com/notifications/unsubscribe-auth/APTBXMEY55NXFQGZKFNSGD3U2LI6FANCNFSM5N4F7KYQ. You are receiving this because you authored the thread.Message ID: @.**@.>>

hongooi73 commented 2 years ago

One thing you can do is to have your admin run get_business_outlook(shared_mbox_email=*) on their machine. They will get the AAD prompt to authorise the permissions which they should be able to do. They should login with their own admin credentials, rather than the service account.

This requires them to have R installed, which is probably unlikely. Alternatively, you can have them do it on your machine, but you'll have to logout of your browser first.

Either way, this isn't really a problem with the Microsoft365R package, so I'm closing this. If you're still having problems, you can send me an email or try asking for help on Stack Overflow.

cndunham commented 2 years ago

Thank you, Hong. I will propose this to my IT admin. I really appreciate your help. This package is wonderful, just not much out there yet to help with troubleshooting issues like this.

From: Hong Ooi @.> Date: Sunday, February 13, 2022 at 6:07 PM To: Azure/Microsoft365R @.> Cc: Christopher Dunham @.>, Author @.> Subject: Re: [Azure/Microsoft365R] unable to access shared mailbox with proxy access (Issue #103)

One thing you can do is to have your admin run get_business_outlook(shared_mbox_email=*) on their machine. They will get the AAD prompt to authorise the permissions which they should be able to do. They should login with their own admin credentials, rather than the service account.

This requires them to have R installed, which is probably unlikely. Alternatively, you can have them do it on your machine, but you'll have to logout of your browser first.

Either way, this isn't really a problem with the Microsoft365R package, so I'm closing this. If you're still having problems, you can send me an email or try asking for help on Stack Overflow.

— Reply to this email directly, view it on GitHubhttps://github.com/Azure/Microsoft365R/issues/103#issuecomment-1038467835, or unsubscribehttps://github.com/notifications/unsubscribe-auth/APTBXMCE4A6WKLXGTKQMBBLU3A2ULANCNFSM5N4F7KYQ. You are receiving this because you authored the thread.Message ID: @.***>