Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Actionable Email - Azure Ouath

Go to solution
rushikeshvartak
All-Star
All-Star

‎03/07/2024 07:40 AM

We are setting up actionable email approval with Microsoft Azure ouath 

 

rushikeshvartak_0-1709825610932.png

 

We have provided SPN access to read mailbox but we are getting access denied error.

{"error":{"code":"ErrorAccessDenied","message":"Access is denied. Check credentials and try again."}}

 

Mailbox have required access.

rushikeshvartak_1-1709825903022.png

 

Part of issue was to avoid giving that API access to the SP because it shouldn't be allowed to read everyone's mailboxes.  

 

https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access

 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
Labels:
0 Kudos
10 REPLIES 10

Go to solution
sudeshjaiswal
Saviynt Employee
Saviynt Employee

‎03/10/2024 11:14 PM

Hello @rushikeshvartak,

Does it work, when you give the full access?

Thanks

If you find the above response useful, Kindly Mark it as "Accept As Solution".
0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to sudeshjaiswal

‎03/10/2024 11:46 PM

No


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Go to solution
CR
Regular Contributor III
Regular Contributor III

‎03/10/2024 11:49 PM

User ID is missing

CR_0-1710139762456.png

 


Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.
0 Kudos

Go to solution
sudeshjaiswal
Saviynt Employee
Saviynt Employee

‎03/11/2024 12:26 AM

Hello @rushikeshvartak,

Please validate if the below persmissions are granted: 

Following are the permissions required to read the mailbox messages. These permissions are for applications.

Assign the required permissions in Azure AD by following the steps mentioned in above section. The following permissions are required for reading emails.

If you find the above response useful, Kindly Mark it as "Accept As Solution".
0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to sudeshjaiswal

‎03/11/2024 08:22 PM - edited ‎03/11/2024 08:23 PM

As mentioned initially client is not ready to provide Mail.Read access as service account can read everyone's mailbox. We have explicitly provided SPN to access individual account .

 

As per confirmed by TAM this is feasible we are waiting for documentation around same

 

@CR  USERID has been removed from screenshot


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to rushikeshvartak

‎03/26/2024 08:53 PM

@sudeshjaiswal  Any update


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Go to solution
sudeshjaiswal
Saviynt Employee
Saviynt Employee
In response to rushikeshvartak

‎04/04/2024 12:40 AM

Hello @rushikeshvartak,

Currenlty this is not feasible, you need to grant all the permission as mentioned in the document.

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".
0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to sudeshjaiswal

‎04/04/2024 09:18 AM - edited ‎04/04/2024 09:20 AM

Documentation has additional privileges which should be removed.

 

Our use case is resolved with Mail.Read

 

Documentation needs to removed below permission :

  • Mail.ReadBasic.All -->Not required to provide access to read everyone's mailbox in orgnization

  • Mail.Send >> Not needed as we don't send email from mailbox such request approval already prcoessed.

  1. Mail.Read:

    • This permission scope grants the application the ability to read mail that the signed-in user can access. It includes the user's own mailbox and any shared mailboxes they have access to. It allows reading all mail messages in the signed-in user's mailbox, including their body, subject, and any attachments.

  2. Mail.ReadBasic:

    • This permission scope grants the application the ability to read a basic set of mail data from the signed-in user's mailbox. It includes only a subset of mail properties, such as the message subject and sender, but does not include the message body or attachments. This scope provides access to a limited set of mail data for scenarios where full access is not required.

  3. Mail.ReadBasic.All:

    • This permission scope grants the application the ability to read a basic set of mail data from all mailboxes in the organization without a signed-in user. It provides access to a limited set of mail properties across all mailboxes in the organization, similar to Mail.ReadBasic, but without requiring a signed-in user.

  4. Mail.ReadWrite:

    • This permission scope grants the application the ability to read, create, and update mail in the signed-in user's mailbox. It includes the ability to read and modify existing mail messages, create new messages, and update message properties such as the subject, body, and recipients.

  5. Mail.Send:

    • This permission scope grants the application the ability to send mail on behalf of the signed-in user. It allows the application to create and send new mail messages from the user's mailbox, using their identity as the sender.

 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Go to solution
sudeshjaiswal
Saviynt Employee
Saviynt Employee

‎04/05/2024 12:23 AM

Hello @rushikeshvartak,

Thank you for providing detailed information. You have the option to share your feedback on the documentation portal and also, you can create a Knowledge Base Article.
This would greatly benefit end users who may have similar use cases.

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".
0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to sudeshjaiswal

‎04/05/2024 04:49 AM

Only Employees are allowed to create KB and feedback is provided with forum link & also inform TAM


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos
Copyright © 2024 Khoros, LLC