cveld
commented
3 years ago We have bumped into this question as well. It does not seem to be a good pattern to use user consent inside a backend process. Thinking out loud to suggest some feature to the Azure Active Directory team, Logic App team, Exchange team, could it be possible to extend Exchange mailboxes, to allow role assignments to the managed identity of the logic app or connection?
We already apply various on-premise active directory enabled security groups, but if we understand correctly you cannot add azure active directory service principals to it. So this forms a second hurdle.
To make this possible best, would that mean that the Exchange team or Graph API team should build an Azure resource provider so that every mailbox becomes an Azure resource?
Not sure this is an issue with this code itself, but more with LogicApps in general. As far as I can see LA is acting as a confidential client on behalf of the user granting the consent. In other words it is using the user who consented's permissions to access whatever resources it is using. Is this a recommended pattern for server-side apps? The tokens granted during consent are not permanent and might be revoked, in which case the user must reconsent for the app to work again. How can we introduce access as a service principal directly instead of on behalf of a user?