Shared Inbox Access?

[shriv]

Hiya, I'm a very new user of this package. My particular use case is developing an ETL pipeline which begins with extracting automated data feeds from a Shared Inbox. I've got access to my Outlook mail but I am unable to see the Shared Inbox. I suspect this is because the Microsoft365R package only requests Mail.ReadWrite permissions rather than Mail.ReadWrite.Shared as per here? Do I need to ask the admin to include this permission separately or would there be an update to this package that will allow Shared Inbox access?

Thanks!

[hongooi73]

Hi, thanks for using the package. I haven't looked at shared inboxes before this, but from what I can tell there's a couple of things needed:

• You need to enable the Mail.ReadWrite.Shared permission as noted. You can create a custom app registration that has this permission instead of Mail.ReadWrite (your admin is probably the one to do this). The full list of permissions is here.
• You have to use the shared inbox ID, rather than your personal mailbox, to read the messages. Unfortunately Microsoft365R doesn't have a built-in way to do this right now, but you can try the following:

library(Microsoft365R)
gr <- AzureGraph::create_graph_login(app="yourappid")  # 'yourappid' is the ID of the app registration you created
shared_inbox <- gr$get_user("inboxid")$get_outlook()

Assuming this works, on subsequent calls you can replace create_graph_login with get_graph_login.

[shriv]

Thanks for such a quick reply! :-) Just to confirm, I will create an app with all the permissions you have noted here and just replace Mail.ReadWrite with Mail.ReadWrite.Shared?

Is there a way I can use Microsoft365R to send this request? I ask because our org permissions are very locked down and we cannot even access the AAD portal.

[hongooi73]

No, you'll have to get your admin to do this. (It's possible that you could use the underlying AzureGraph package to create the app, but if your org is locked down you probably don't have the rights to create apps.)

[shriv]

Okay, that makes sense! Thanks :-)

[hongooi73]

Also, if shared inbox access is a much-requested feature I can change the default permissions on the Microsoft365R app. I'm leery of doing this right now though, as it would require people to re-authorise the app to access their data.

[shriv]

I, for one, would appreciate it but it would be annoying for others! I'll see how I get on with requesting an app in our org tenant..

[hongooi73]

Please leave this open as others may also want the same feature.

[iankloo]

Just throwing in that I would also benefit from this feature.

[hongooi73]

@iankloo You can actually do this right now. You'll have to get your admin to consent to the necessary permissions first, but then you can run something like this:

gr <- AzureGraph::create_graph_login("yourtenant",
    app=Microsoft365R:::.microsoft365r_app_id,
    scopes=c("Mail.ReadWrite.Shared", "Mail.Send", "Group.ReadWrite.All")  # use shared mail scope
)
user <- gr$get_user("shared-inbox-id")
user_mbox <- user$get_outlook()

It's just a question of whether and how much this should be automated in Microsoft365R. The Mail.ReadWrite.Shared scope is not part of the default permissions, but you can request it explicitly with the code above (and you'll need to get your admin to approve it separately).

[hongooi73]

Shared mailbox support has been added to get_business_outlook. To retrieve a shared mailbox, supply one of the arguments shared_mbox_id, shared_mbox_name or shared_mbox_email. If you leave all of these out, you will get your own mailbox (the current behaviour).

Note that shared access requires extra permissions, namely Mail.Send.Shared and Mail.Readwrite.Shared. You'll get a message asking your admin to approve this.

I'm unable to test this as I don't have access to a suitable tenant/mailbox right now, so can those who requested this feature please try it out and tell me if there are any problems. Thanks!

[hongooi73]

@isaac-florence @iankloo @shriv

[hongooi73]

Now in 2.3.0

[isaac-florence]

Hi @hongooi73, please accept my apologies for not thanking you here sooner. Our security team have only just reapproved the app and I can confirm this works just as expected for us. Thank you very much for implementing this change, it's hugely appreciated.