Hello,
We would like to implement automated email delivery from a cloud application written in python and deployed on AKS. we have the following elements in place:
- App Registration with "Delegation" type permissions to send emails.
- Service Principal credentials (client id + client secret)
- Shared Mailbox with permission granted already to the app registration.
The problem:
Situation 1: Access on Behalf of a User
- App Registration with "Delegation" type permissions to send emails.
https://learn.microsoft.com/en-us/graph/auth/auth-concepts#access-scenarios
User (logged in + access token) + Application ==> we are getting following error:
Failed to send email. Status code: 403, Error: {"error":{"code":"ErrorSendAsDenied","message":"The user account which was used to submit this request does not have the right to send mail on behalf of the specified sending account., Cannot submit message."}}
we don't want that we give the user access to shared mailbox. This is unacceptable high risk.
Situation 2: Access without User
- App Registration with "Application" type permissions to send emails.
It works when granting the "Application" type permissions, however, this means granting the application permissions to send emails on behalf of any user or on behalf of any shared mailbox in the organization, again unacceptable high risk.
What would the best approach to resolve this challenge ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 48%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAT%3C/text%3E%3C/svg%3E)
