search

domainaware / parsedmarc

A Python package and CLI for parsing aggregate and forensic DMARC reports
https://domainaware.github.io/parsedmarc/
Apache License 2.0
1.02k stars 223 forks source link

MSGraph permissions help #560

Closed ijeries closed 2 months ago

ijeries commented 2 months ago

Hi


Would anyone please be able to help me find/work out which permissions are missing from the below setup in order for ParseDMARC to pull reports from a shared mailbox on MS office 365 (business/paid for) using MSGraph?

The shared mailbox has a valid license attached and I can logon to it via a browser. I can also see/read the dmarc reports in browser.

ParseDMARC is on the latest version 8.15.0.

Here are the parseDMARC config:

[general]
 save_aggregate = True
 save_forensic = True

[mailbox] 
watch = True
 delete = True
 reports_folder = Inbox 
batch_size = 1000

[msgraph]
 enabled = True
 user = 
 password = 
 mailbox = 
 auth_method = ClientSecret
 tenant_id = 
 client_id = 
client_secret =

I've created an Azure app + granted the following permissions:

I currently see the following error:


Sep 10 16:17:01 Server01 systemd[1]: Stopped parsedmarc mailbox watcher. Sep 10 16:17:01 Server01 systemd[1]: Started parsedmarc mailbox watcher. Sep 10 16:17:02 Server01 parsedmarc[56889]: ERROR:cli.py:1406:Mailbox Error Sep 10 16:17:02 Server01 parsedmarc[56889]: Traceback (most recent call last): Sep 10 16:17:02 Server01 parsedmarc[56889]: File "/opt/parsedmarc/venv/lib/python3.10/site-packages/parsedmarc/cli.py", line 1385, in _main Sep 10 16:17:02 Server01 parsedmarc[56889]: reports = get_dmarc_reports_from_mailbox( Sep 10 16:17:02 Server01 parsedmarc[56889]: File "/opt/parsedmarc/venv/lib/python3.10/site-packages/parsedmarc/init.py", line 1446, in get_dmarc_reports_from_mailbox Sep 10 16:17:02 Server01 parsedmarc[56889]: connection.create_folder(aggregate_reports_folder) Sep 10 16:17:02 Server01 parsedmarc[56889]: File "/opt/parsedmarc/venv/lib/python3.10/site-packages/parsedmarc/mail/graph.py", line 123, in create_folder Sep 10 16:17:02 Server01 parsedmarc[56889]: parent_folder_id = self._find_folder_id_with_parent( Sep 10 16:17:02 Server01 parsedmarc[56889]: File "/opt/parsedmarc/venv/lib/python3.10/site-packages/parsedmarc/mail/graph.py", line 245, in _find_folder_id_with_parent Sep 10 16:17:02 Server01 parsedmarc[56889]: raise RuntimeWarning(f"Failed to list folders." Sep 10 16:17:02 Server01 parsedmarc[56889]: RuntimeWarning: Failed to list folders.{'error': {'code': 'ErrorAccessDenied', 'message': 'Access is denied. Check credentials and try again.'}} Sep 10 16:17:03 Server01 systemd[1]: parsedmarc.service: Main process exited, code=exited, status=1/FAILURE Sep 10 16:17:03 Server01 systemd[1]: parsedmarc.service: Failed with result 'exit-code'.

Thank you!

seanthegeek commented 2 months ago

There might be a delay in the permissions being applied. https://github.com/domainaware/parsedmarc/issues/483#issuecomment-2024044129

ijeries commented 2 months ago

Thanks you @seanthegeek appreciate the response.

ijeries commented 2 months ago

Sharing my solution below before closing this issue in the hope it helps others.

o356 = Microsoft Office 365 (business/paid for subscription) App = ParseDMARC app created within the o365 tenant

======= o365 setup =========== 1) In o365 Entra - create a ParseDMARC app 2) Edit the app ==> API permission option + grant the ParseDMARC app permissions: Type: Select MS Graph ==> then application permission Search for + apply permission: Mail.ReadWrire Hit the Grant Admin consent for ... 3) Open o365 exchange and do the following: a) Create a mail enabled security group b) Make the shared mailbox a member of this mail enabled security group.

=========== o365 powershell ======= 1) Using PowerShell, connect to Exchange Online - https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access 2) Run the following cmdlet to limited the o365 ParseDMARC app access to the shared mailbox only. Note: by default, the above app permission grants access to all mailboxes.

New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId "<CLIENT_ID>" -PolicyScopeGroupId "<mail-enabled-security-group email>" -Description "Restrict ParseDMARC app access to the reports shared mailbox only."

3) Within PowerShell, use the following to test the permission are only granted to the required mailbox/resource: Test-ApplicationAccessPolicy -Identity <e-mail> -AppId "ID string"

========== parsedmarc.ini working config: ========

[general]
# save DMARC rua and ruf reports to Splunk, True/False. 
save_aggregate = True
save_forensic = True

[mailbox]
watch = True
delete = True
reports_folder = Inbox
batch_size = 1000

[msgraph]
## access via MS graph API. Can only read content of declared shared mailbox.
enabled = True
mailbox = <e-mail of shared mailbox>
auth_method = ClientSecret
tenant_id = <string>
client_id = <string>
client_secret = <string>

Restart the parsedmarc services and check status using: 

sudo systemctl daemon-reload
sudo systemctl enable parsedmarc.service
sudo service parsedmarc restart
sudo service parsedmarc status
sudo journalctl -eu parsedmarc