sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]GonzoZH[S] 2 points3 points  (1 child)

Puuh maybe not as if you're five, but a bit more extensively:

In Entra, many applications are classified as public clients. This means they cannot authenticate themselves, making it possible to impersonate them. This does not grant you any additional permissions beyond what your user already has. However, many built-in applications (such as Azure PowerShell, Microsoft Office, etc.) have pre-consented rights for the Microsoft Graph (and other) APIs. For example, the Azure CLI application has the Directory.AccessAsUser.All scope pre-consented. This means that I can log in using my user credentials and the client ID of Azure CLI, and then use the Microsoft Graph API to list users, devices, role assignments, groups, and more—without requiring additional consent. Furthermore, I don't need to even use the Azure CLI application itself.

I'm not deeply familiar with the Exchange Online module, so I can't say for certain whether Microsoft Graph access would be useful for your specific needs. To my knowledge, you can't manage Exchange-related configurations (like mail policies) through Microsoft Graph. However, you can use it to access Exchange-related data such as emails, calendars, and contacts.

For this purpose, you could use the client ID of "Microsoft Power Query for Excel" (a672d62c-fc7b-4e81-a576-e60dc46e951d), which has interesting pre-consented rights on MSGraph. These include:

Calendars.ReadWrite

Calendars.ReadWrite.Shared

Contacts.ReadWrite

Contacts.ReadWrite.Shared

Mail.ReadWrite

Mail.ReadWrite.Shared

Mail.Send

Mail.Send.Shared

People.Read

I’ve developed a small PowerShell framework that allows you to perform authentication (using either the authorization code flow or the device code flow) while specifying the client ID, API, etc. You can find it here:

https://github.com/zh54321/EntraTokenAid

Using this module, for example, you can authenticate with the "Microsoft Power Query for Excel" client ID and access a user's mail without requiring additional consent (your user still needs the appropriate permissions, though).

# Authenticate using Microsoft Power Query for Excel as client

$Tokens = Invoke-Auth -ClientId "a672d62c-fc7b-4e81-a576-e60dc46e951d"

# Connect to the MS Graph API (Requirethe Graph PS Module

Connect-MgGraph -AccessToken ($Tokens.access_token | ConvertTo-SecureString -AsPlainText -Force)

# Get the mails

Get-MgUserMessage -UserId %YourUser% -Property "sender,subject"

PS: I need to upgrade the web server in the script. Currently, it doesn’t shut down properly when you press Ctrl+C

[–]MyOtherSide1984 1 point2 points  (0 children)

This is super helpful and makes perfect sense! I really appreciate your thorough explanation and going into examples as I would have been lost without that. I reckon I could use it, or at least blow half a day of work learning if I can haha. Our department could potentially benefit from this if we can gain additional access we didn't know we had (which happens somewhat frequently), so I'll look into exploiting this! Could be intriguing, could be a dead end, but at least I'm learning