cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Unauthorized attempting to send Email with valid access token

Deleted
Not applicable

‎Nov 13 2018 05:01 PM

‎Nov 13 2018 05:01 PM

Unauthorized attempting to send Email with valid access token

Hi,

 

I'm attempting to programatically send email using PowerShell and the Office 365 outlook REST API (can't use SMTP as it's blocked).

 

I've managed to set up my Web App in Azure AD with what I'm pretty sure are the requisite permissions and have authorized those via the adminconsent URI. I've set up the shared secret and can successfully retrieve an access token using the client credentials flow, but when I attempt to use that token to send mail I get a 401 unauthorized error.

 

Here's my code with all the juicy bits replaced

 

$emailaddress = "<email address to send to>"
$secret = "<secret from Azure AD App registration>"
$urlencodedsecret = [System.Web.HttpUtility]::UrlEncode($secret)
$tenantid = "<our tenant id>"
$appid="<my app id>"
$requesturi = "https://login.microsoftonline.com/$tenantid/oauth2/token"
$body = "grant_type=client_credentials&client_id=$appid&client_secret=$urlencodedsecret" 
$response = Invoke-RestMethod -Method POST -Uri $requesturi -body $body -ContentType "application/x-www-form-urlencoded"
$token = $response.access_token;
 
So that all works OK and I get a nice shiny new access token - however when I try to use it ...
 
$bearerAuthHeader = "Bearer {0}" -f $token;
$headers = @{
    Authorization = $bearerAuthHeader;
    "x-AnchorMailbox" = "<my email address>"
};
$uri = "https://outlook.office365.com/api/v2.0/me/sendmail";
$body = '{
  "Message": {
    "Subject": "<Subject>",
    "Body": {
      "ContentType": "Text",
      "Content": "<Content>"
    },
    "ToRecipients": [
      {
        "EmailAddress": {
          "Address": "' + $emailaddress + '"
        }
      }
    ],
    "Attachments": [
      {
        "@odata.type": "#Microsoft.OutlookServices.FileAttachment",
        "Name": "<attachment name>,
        "ContentBytes": "<Base 64 encoded attachment>"
      }
    ]
  },
  "SaveToSentItems": "false"
}'
$sendMsgResult = Invoke-RestMethod -Method Post -Uri $uri -Body $body -Headers $headers -ContentType "application/json";
 
 
And that results in the following error
Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.
At line:43 char:18
+ ... MsgResult = Invoke-RestMethod -Method Post -Uri $uri -Body $body -Hea ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
 
I've successfully used the exact same email sending code code with an access token obtained manually using the auth code grant flow - so I have no idea why I'm now getting the 401. It's as if the token I'm getting from the client credentials flow doesn't have the permissions I know I've set for it in AAD.
 
Any pointers for troubleshooting this further gratefully received.
 
Thanks,
 
Mark.
Labels:
8,447 Views
0 Likes
5 Replies
Reply
5 Replies
Juan Carlos González Martín

‎Nov 13 2018 10:37 PM

‎Nov 13 2018 10:37 PM

Re: Unauthorized attempting to send Email with valid access token

Why not use the Send-Email cmdlet? You can use Office 365 as your SMTP Server and compose also an HTML message to be send in your script
0 Likes
Reply
Vasil Michev

‎Nov 13 2018 11:40 PM

‎Nov 13 2018 11:40 PM

Re: Unauthorized attempting to send Email with valid access token

Do check the token for the scope/permissions, you can parse it on jwt.ms/jwt.io or via PowerShell as well if needed.

0 Likes
Reply
Mark Blackburn

‎Nov 14 2018 02:59 AM

‎Nov 14 2018 02:59 AM

Re: Unauthorized attempting to send Email with valid access token

As I stated at the beginning of the post - I can't use SMTP as it is blocked

0 Likes
Reply

‎Nov 14 2018 09:38 AM - edited ‎Nov 14 2018 09:40 AM

‎Nov 14 2018 09:38 AM - edited ‎Nov 14 2018 09:40 AM

Re: Unauthorized attempting to send Email with valid access token

So after a bit more reading I've discovered that you can't use a client credentials flow using a shared secret to send mail, you have to use a client credentials flow using certificates! Wish that ere documented better.

 

So I created a self-signed cert, uploaded it against the web app in Azure AD and updated the manifest to include the cert details. Then I tried rolling my own JWT and trying to sign it with RS256 to no avail. After more digging it's apparent that your self signed cert has to be created using the right provider or it won't be able to be used to sign RSA - only HMAC! - So switched from makecert to powershell to create the new cert - re-uploaded the public cert and re-updated the manifest on the app, then gave up on all the work I'd done earlier on JWT stuff and fell back on .NET ADAL modules.

 

After all that I can successfully obtain an authentication token using client credential flow and certificates - and analysing the JWT I get back I can see I have permissions to Send.Mail, but now when I try and use that token I'm getting a 403 Forbidden error!!

 

Who knew it could be so hard to send an email!!

 

Anyone have any idea what else I can try?

 

Thanks,

 

Mark.

0 Likes
Reply
best response

‎Nov 15 2018 03:29 AM

‎Nov 15 2018 03:29 AM

Solution

Re: Unauthorized attempting to send Email with valid access token

OK, I've figured out the issue - putting this here for others to find if they hit the same problem.

 

The underlying issue is that the O365 v2.0 Web API is woefully under-documented!

 

The main issue with using the Client Credentialworflow is that it authenticates the App itself, and not a user, therefore you need to specify the user to send the email from in the URI - but I had to guess that from the v1.0 API!

 

Changing the URI used with the access token from ;

 

https://outlook.office365.com/api/v2.0/me/sendmail

to

https://outlook.office365.com/api/v2.0/users/<user spn>/sendmail

 

Then the API knows which user the email is being sent from and the token which has the 'Send mail for any user' claim is accepted and the email is sent.

 

Hope others find this useful.

 

Regards,

 

Mark. 

1 Like
Reply
1 best response

Accepted Solutions
best response

‎Nov 15 2018 03:29 AM

‎Nov 15 2018 03:29 AM

Solution

Re: Unauthorized attempting to send Email with valid access token

OK, I've figured out the issue - putting this here for others to find if they hit the same problem.

 

The underlying issue is that the O365 v2.0 Web API is woefully under-documented!

 

The main issue with using the Client Credentialworflow is that it authenticates the App itself, and not a user, therefore you need to specify the user to send the email from in the URI - but I had to guess that from the v1.0 API!

 

Changing the URI used with the access token from ;

 

https://outlook.office365.com/api/v2.0/me/sendmail

to

https://outlook.office365.com/api/v2.0/users/<user spn>/sendmail

 

Then the API knows which user the email is being sent from and the token which has the 'Send mail for any user' claim is accepted and the email is sent.

 

Hope others find this useful.

 

Regards,

 

Mark. 

View solution in original post

1 Like
Reply