company is developing an automated notification system that sends PDF reports via email to employees. Describe how to configure Microsoft Entra ID and Microsoft Graph API to authenticate the app and send emails with attachments. Outline the necessary API

Question

company is developing an automated notification system that sends PDF reports via email to employees. Describe how to configure Microsoft Entra ID and Microsoft Graph API to authenticate the app and send emails with attachments. Outline the necessary API permissions

Answer 1

To develop an automated notification system that sends PDF reports via email to employees using Microsoft Entra ID (formerly Azure AD) and Microsoft Graph API, you need to configure the app registration, grant necessary API permissions, and implement the logic to send emails with attachments. Below is a detailed step-by-step guide:

---

Step 1: Register the Application in Microsoft Entra ID

1. Log in to the Azure Portal:
   • Go to the Azure Portal.
2. Register the Application:
   • Navigate to Microsoft Entra ID > App registrations > New registration.
   • Provide a name for your app (e.g., NotificationSystem).
   • Select the appropriate Supported account types (e.g., "Accounts in this organizational directory only").
   • Leave the Redirect URI blank for now (unless your app requires a callback URL).
   • Click Register.
3. Note the Application (Client) ID and Tenant ID:
   • After registration, note the Application (Client) ID and Directory (Tenant) ID from the app’s overview page. These will be used in your code.
4. Generate a Client Secret:
   • Go to Certificates & secrets > New client secret.
   • Provide a description and set an expiration period.
   • Click Add and copy the client secret value (you won’t be able to retrieve it later).

---

Step 2: Configure API Permissions

1. Add Microsoft Graph API Permissions:
   • Go to API permissions > Add a permission > Microsoft Graph.
   • Select Application permissions (since this is an automated system without user interaction).
   • Add the following permissions:
     • Mail.Send (to send emails).
     • Mail.ReadWrite (to manage emails).
     • User.Read.All (to read employee details).
   • Click Add permissions.
2. Grant Admin Consent:
   • Click Grant admin consent for [Your Organization] to approve the permissions.

---

Step 3: Authenticate the Application

To authenticate the app, use the Client Credentials Flow since this is an automated system.

1. Acquire an Access Token:
   • Use the following details to request an access token from Microsoft Entra ID:
     • Token Endpoint: https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
     • Request Body:

       
              grant_type=client_credentials
       
              &client_id={client-id}
       
              &client_secret={client-secret}
       
              &scope=https://graph.microsoft.com/.default
       
       

   • Example using curl:

     
          curl -X POST -H "Content-Type: application/x-www-form-urlencoded" \
     
          -d "grant_type=client_credentials&client_id={client-id}&client_secret={client-secret}&scope=https://graph.microsoft.com/.default" \
     
          "https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token"
     
     

   • The response will include an access_token that you can use to call Microsoft Graph API.

---

Step 4: Send Emails with Attachments Using Microsoft Graph API

1. Prepare the Email Payload:
   • Construct the email payload with the PDF attachment. Use the base64 encoded content of the PDF file.
   Example JSON payload:

   
      {
   
        "message": {
   
          "subject": "Monthly Report",
   
          "body": {
   
            "contentType": "Text",
   
            "content": "Please find the attached monthly report."
   
          },
   
          "toRecipients": [
   
            {
   
              "emailAddress": {
   
                "address": "employee@example.com"
   
              }
   
            }
   
          ],
   
          "attachments": [
   
            {
   
              "@odata.type": "#microsoft.graph.fileAttachment",
   
              "name": "Report.pdf",
   
              "contentBytes": "base64-encoded-pdf-content"
   
            }
   
          ]
   
        }
   
      }
   
   

2. Send the Email:
   • Use the Microsoft Graph API endpoint to send the email:

     
          POST https://graph.microsoft.com/v1.0/users/{sender-email}/sendMail
     
     

   • Include the access_token in the Authorization header:

     
          Authorization: Bearer {access-token}
     
          Content-Type: application/json
     
     

   Example using curl:

   
      curl -X POST -H "Authorization: Bearer {access-token}" -H "Content-Type: application/json" \
   
      -d @email-payload.json \
   
      "https://graph.microsoft.com/v1.0/users/{sender-email}/sendMail"
   
   

---

Step 5: Handle Large Attachments Securely

For large attachments (greater than 3 MB), use the Upload Session feature of Microsoft Graph API.

1. Create an Upload Session:
   • Send a POST request to create an upload session:

     
          POST https://graph.microsoft.com/v1.0/users/{sender-email}/messages/{message-id}/attachments/createUploadSession
     
     

   • Request Body:

     
          {
     
            "attachmentItem": {
     
              "attachmentType": "file",
     
              "name": "LargeReport.pdf",
     
              "size": {file-size-in-bytes}
     
            }
     
          }
     
     

2. Upload the File in Chunks:
   • Use the uploadUrl returned from the upload session to upload the file in chunks (e.g., 4 MB chunks).
   • Example using curl:

     
          curl -X PUT -H "Content-Length: {chunk-size}" -H "Content-Range: bytes {start}-{end}/{total-size}" \
     
          --data-binary @chunk-file \
     
          "{upload-url}"
     
     

3. Send the Email:
   • Once the file is uploaded, send the email as described in Step 4.

---

Step 6: Implement Error Handling and Logging

• Handle errors such as token expiration, API rate limits, and attachment upload failures.
• Log all activities for auditing and troubleshooting.

---

Summary

1. Register the app in Microsoft Entra ID and configure API permissions.
2. Authenticate using the Client Credentials Flow.
3. Use Microsoft Graph API to send emails with attachments.
4. For large attachments, use the Upload Session feature.
5. Implement error handling and logging for robustness.

This setup ensures secure and efficient email delivery with attachments using Microsoft Entra ID and Microsoft Graph API.

Answer 2

Hi konaAsha,

Thank you for posting your query on Microsoft Q&A. I am Saiteja from Q&A will be assisting you with your query.

As per your query, I understand that you would like to configure an API to send automated notification emails to users.

To perform these operations, you need to configure an application in Azure App registrations. To configure an application, please configure this link. Once you created this application take the client ID and client secret into a note for further usage.

Now you should add the permissions to the application from API permissions. Here are there are two types of permissions, one is delegated (with user) and the other is Application permission (without user). As would like to automate the process, that means application itself should have permissions to perform the operation. In such scenarios, you need to choose the application permissions itself. To find the relevant permissions which helps you in sending the emails with data, kindly follow this document.

To add the API permissions, you need to follow this document. In your scenario, I would suggest the following permissions which would help you in sending emails along with files:

User.Read.All

Mail.Send

Mail.Send.Shared

Mail.ReadWrite

Once the permissions are provided, you can provide the admin consent for all the permissions. For additional information on application permissions, please check this document.

Now you need to use client credential flow in order to make the application to perform this operation without any user interaction. Here is the document to understand the client credential flow. To retrieve a token using Client credential flow, you can follow this document.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment".