Processing meeting requests from azure logic app with azure functions












0















After spending Hours of Research I am nothing more than absolutely confused. There was so much Change ongoing all around azure functions and azure logic apps and graph and authentication stuff around azure ad so it is really hard to finde the Right Resources.



What i want to achieve is quite simple:




  1. An azure logic app that is triggered when a new E-Mail to a shared Inbox is received.

  2. If these e-mails are Meeting requests and they are marked as private or sent with Status 'free' the Meeting request should be automatically declined.

  3. A message is posted to a slack channel.


Expect the step number 2 everything is already working. Unfortunately no Default connector provides any action to read more details about meeting requests and no connector action is there to decline meeting requests. So the obvious way is to go with an azure function and do the stuff with Microsoft Graph API.



So the point where I always fail is:
How to get a correct Auth token in the azure function to Access Microsoft graph?



Since the logic app is executed non interactively i can not do any interactive login and i do not want to hardcode any credentials in the Code.






microsoft-graph azure-functions azure-logic-apps







share|improve this question























  • You should use managed identity and grant permissions to your function to anything you need in graph

    – Thomas
    Jan 1 at 20:59











  • @LaurinSt for step 2 the Status is sent from the headers right ?

    – HariHaran
    Jan 2 at 4:25











  • hey @thomas - could you give an example how this Looks like or a bit more Information where i can look at? i did not find an example for this.

    – LaurinSt
    Jan 2 at 6:02











  • @HariHaran: I am not sure if i understand correctly what you mean.

    – LaurinSt
    Jan 2 at 6:03











  • @LaurinSt from the email body there's a Status field , so you should be able to read the body right

    – HariHaran
    Jan 2 at 6:17
















0















After spending Hours of Research I am nothing more than absolutely confused. There was so much Change ongoing all around azure functions and azure logic apps and graph and authentication stuff around azure ad so it is really hard to finde the Right Resources.



What i want to achieve is quite simple:




  1. An azure logic app that is triggered when a new E-Mail to a shared Inbox is received.

  2. If these e-mails are Meeting requests and they are marked as private or sent with Status 'free' the Meeting request should be automatically declined.

  3. A message is posted to a slack channel.


Expect the step number 2 everything is already working. Unfortunately no Default connector provides any action to read more details about meeting requests and no connector action is there to decline meeting requests. So the obvious way is to go with an azure function and do the stuff with Microsoft Graph API.



So the point where I always fail is:
How to get a correct Auth token in the azure function to Access Microsoft graph?



Since the logic app is executed non interactively i can not do any interactive login and i do not want to hardcode any credentials in the Code.






microsoft-graph azure-functions azure-logic-apps







share|improve this question























  • You should use managed identity and grant permissions to your function to anything you need in graph

    – Thomas
    Jan 1 at 20:59











  • @LaurinSt for step 2 the Status is sent from the headers right ?

    – HariHaran
    Jan 2 at 4:25











  • hey @thomas - could you give an example how this Looks like or a bit more Information where i can look at? i did not find an example for this.

    – LaurinSt
    Jan 2 at 6:02











  • @HariHaran: I am not sure if i understand correctly what you mean.

    – LaurinSt
    Jan 2 at 6:03











  • @LaurinSt from the email body there's a Status field , so you should be able to read the body right

    – HariHaran
    Jan 2 at 6:17














0












0








0








After spending Hours of Research I am nothing more than absolutely confused. There was so much Change ongoing all around azure functions and azure logic apps and graph and authentication stuff around azure ad so it is really hard to finde the Right Resources.



What i want to achieve is quite simple:




  1. An azure logic app that is triggered when a new E-Mail to a shared Inbox is received.

  2. If these e-mails are Meeting requests and they are marked as private or sent with Status 'free' the Meeting request should be automatically declined.

  3. A message is posted to a slack channel.


Expect the step number 2 everything is already working. Unfortunately no Default connector provides any action to read more details about meeting requests and no connector action is there to decline meeting requests. So the obvious way is to go with an azure function and do the stuff with Microsoft Graph API.



So the point where I always fail is:
How to get a correct Auth token in the azure function to Access Microsoft graph?



Since the logic app is executed non interactively i can not do any interactive login and i do not want to hardcode any credentials in the Code.






microsoft-graph azure-functions azure-logic-apps







share|improve this question














After spending Hours of Research I am nothing more than absolutely confused. There was so much Change ongoing all around azure functions and azure logic apps and graph and authentication stuff around azure ad so it is really hard to finde the Right Resources.



What i want to achieve is quite simple:




  1. An azure logic app that is triggered when a new E-Mail to a shared Inbox is received.

  2. If these e-mails are Meeting requests and they are marked as private or sent with Status 'free' the Meeting request should be automatically declined.

  3. A message is posted to a slack channel.


Expect the step number 2 everything is already working. Unfortunately no Default connector provides any action to read more details about meeting requests and no connector action is there to decline meeting requests. So the obvious way is to go with an azure function and do the stuff with Microsoft Graph API.



So the point where I always fail is:
How to get a correct Auth token in the azure function to Access Microsoft graph?



Since the logic app is executed non interactively i can not do any interactive login and i do not want to hardcode any credentials in the Code.






microsoft-graph azure-functions azure-logic-apps




microsoft-graph azure-functions azure-logic-apps






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 1 at 15:24









LaurinStLaurinSt

405618




405618













  • You should use managed identity and grant permissions to your function to anything you need in graph

    – Thomas
    Jan 1 at 20:59











  • @LaurinSt for step 2 the Status is sent from the headers right ?

    – HariHaran
    Jan 2 at 4:25











  • hey @thomas - could you give an example how this Looks like or a bit more Information where i can look at? i did not find an example for this.

    – LaurinSt
    Jan 2 at 6:02











  • @HariHaran: I am not sure if i understand correctly what you mean.

    – LaurinSt
    Jan 2 at 6:03











  • @LaurinSt from the email body there's a Status field , so you should be able to read the body right

    – HariHaran
    Jan 2 at 6:17



















  • You should use managed identity and grant permissions to your function to anything you need in graph

    – Thomas
    Jan 1 at 20:59











  • @LaurinSt for step 2 the Status is sent from the headers right ?

    – HariHaran
    Jan 2 at 4:25











  • hey @thomas - could you give an example how this Looks like or a bit more Information where i can look at? i did not find an example for this.

    – LaurinSt
    Jan 2 at 6:02











  • @HariHaran: I am not sure if i understand correctly what you mean.

    – LaurinSt
    Jan 2 at 6:03











  • @LaurinSt from the email body there's a Status field , so you should be able to read the body right

    – HariHaran
    Jan 2 at 6:17

















You should use managed identity and grant permissions to your function to anything you need in graph

– Thomas
Jan 1 at 20:59





You should use managed identity and grant permissions to your function to anything you need in graph

– Thomas
Jan 1 at 20:59













@LaurinSt for step 2 the Status is sent from the headers right ?

– HariHaran
Jan 2 at 4:25





@LaurinSt for step 2 the Status is sent from the headers right ?

– HariHaran
Jan 2 at 4:25













hey @thomas - could you give an example how this Looks like or a bit more Information where i can look at? i did not find an example for this.

– LaurinSt
Jan 2 at 6:02





hey @thomas - could you give an example how this Looks like or a bit more Information where i can look at? i did not find an example for this.

– LaurinSt
Jan 2 at 6:02













@HariHaran: I am not sure if i understand correctly what you mean.

– LaurinSt
Jan 2 at 6:03





@HariHaran: I am not sure if i understand correctly what you mean.

– LaurinSt
Jan 2 at 6:03













@LaurinSt from the email body there's a Status field , so you should be able to read the body right

– HariHaran
Jan 2 at 6:17





@LaurinSt from the email body there's a Status field , so you should be able to read the body right

– HariHaran
Jan 2 at 6:17












1 Answer
1






active

oldest

votes


















2














1.Open MSI in function app



In your function app , navigate to Platform features, select Identity and switch Status to On. Click Save.



enter image description here



2.Permissions and Roles for the Managed Service Identity



Give Service Principal permission to get some Directory data like user information from my Azure AD. The following Azure AD commands adds my service principal to the AD Directory Role Directory Readers:
enter image description here



3.Get token



As you have turn on MSI in Azure function, you could go to https://***.scm.azurewebsites.net and click Environment and get the MSI_SECRET



public static async Task<HttpResponseMessage> GetToken(string resource, string apiversion)  {

    HttpClient client = new HttpClient();

    client.DefaultRequestHeaders.Add("Secret", Environment.GetEnvironmentVariable("MSI_SECRET"));

    return await client.GetAsync(String.Format("{0}/?resource={1}&api-version={2}", Environment.GetEnvironmentVariable("MSI_ENDPOINT"), resource, apiversion));

}


For more details, you could refer to this article and this one.






share|improve this answer
























  • Wow - thank you - that's a neat Approach. One Question: if i now Need to process an E-Mail in a users Inbox, what permissions do i Need to set? Since with that Approach i don't have an app Registration i can not define scopes. How is this solved with MSI?

    – LaurinSt
    Jan 2 at 7:52











  • You could assign a Owner role to your service principal.

    – Joey Cai
    Jan 2 at 8:22











  • Owner role of what? Of an Inbox? I don't want to make it Domain admin or something similar. It just Needs to be able to Access a shared Inbox.

    – LaurinSt
    Jan 2 at 9:38






  • 1





    If no constraint is specified the app is limited to performing the operations on the resources owned by the signed-in user. For example, Mail.Read grants permission to read only mail in the mailbox of the signed-in user. You could refer to this article and this SO thread.

    – Joey Cai
    Jan 3 at 7:16











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53996630%2fprocessing-meeting-requests-from-azure-logic-app-with-azure-functions%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









2














1.Open MSI in function app



In your function app , navigate to Platform features, select Identity and switch Status to On. Click Save.



enter image description here



2.Permissions and Roles for the Managed Service Identity



Give Service Principal permission to get some Directory data like user information from my Azure AD. The following Azure AD commands adds my service principal to the AD Directory Role Directory Readers:
enter image description here



3.Get token



As you have turn on MSI in Azure function, you could go to https://***.scm.azurewebsites.net and click Environment and get the MSI_SECRET



public static async Task<HttpResponseMessage> GetToken(string resource, string apiversion)  {

    HttpClient client = new HttpClient();

    client.DefaultRequestHeaders.Add("Secret", Environment.GetEnvironmentVariable("MSI_SECRET"));

    return await client.GetAsync(String.Format("{0}/?resource={1}&api-version={2}", Environment.GetEnvironmentVariable("MSI_ENDPOINT"), resource, apiversion));

}


For more details, you could refer to this article and this one.






share|improve this answer
























  • Wow - thank you - that's a neat Approach. One Question: if i now Need to process an E-Mail in a users Inbox, what permissions do i Need to set? Since with that Approach i don't have an app Registration i can not define scopes. How is this solved with MSI?

    – LaurinSt
    Jan 2 at 7:52











  • You could assign a Owner role to your service principal.

    – Joey Cai
    Jan 2 at 8:22











  • Owner role of what? Of an Inbox? I don't want to make it Domain admin or something similar. It just Needs to be able to Access a shared Inbox.

    – LaurinSt
    Jan 2 at 9:38






  • 1





    If no constraint is specified the app is limited to performing the operations on the resources owned by the signed-in user. For example, Mail.Read grants permission to read only mail in the mailbox of the signed-in user. You could refer to this article and this SO thread.

    – Joey Cai
    Jan 3 at 7:16
















2














1.Open MSI in function app



In your function app , navigate to Platform features, select Identity and switch Status to On. Click Save.



enter image description here



2.Permissions and Roles for the Managed Service Identity



Give Service Principal permission to get some Directory data like user information from my Azure AD. The following Azure AD commands adds my service principal to the AD Directory Role Directory Readers:
enter image description here



3.Get token



As you have turn on MSI in Azure function, you could go to https://***.scm.azurewebsites.net and click Environment and get the MSI_SECRET



public static async Task<HttpResponseMessage> GetToken(string resource, string apiversion)  {

    HttpClient client = new HttpClient();

    client.DefaultRequestHeaders.Add("Secret", Environment.GetEnvironmentVariable("MSI_SECRET"));

    return await client.GetAsync(String.Format("{0}/?resource={1}&api-version={2}", Environment.GetEnvironmentVariable("MSI_ENDPOINT"), resource, apiversion));

}


For more details, you could refer to this article and this one.






share|improve this answer
























  • Wow - thank you - that's a neat Approach. One Question: if i now Need to process an E-Mail in a users Inbox, what permissions do i Need to set? Since with that Approach i don't have an app Registration i can not define scopes. How is this solved with MSI?

    – LaurinSt
    Jan 2 at 7:52











  • You could assign a Owner role to your service principal.

    – Joey Cai
    Jan 2 at 8:22











  • Owner role of what? Of an Inbox? I don't want to make it Domain admin or something similar. It just Needs to be able to Access a shared Inbox.

    – LaurinSt
    Jan 2 at 9:38






  • 1





    If no constraint is specified the app is limited to performing the operations on the resources owned by the signed-in user. For example, Mail.Read grants permission to read only mail in the mailbox of the signed-in user. You could refer to this article and this SO thread.

    – Joey Cai
    Jan 3 at 7:16














2












2








2







1.Open MSI in function app



In your function app , navigate to Platform features, select Identity and switch Status to On. Click Save.



enter image description here



2.Permissions and Roles for the Managed Service Identity



Give Service Principal permission to get some Directory data like user information from my Azure AD. The following Azure AD commands adds my service principal to the AD Directory Role Directory Readers:
enter image description here



3.Get token



As you have turn on MSI in Azure function, you could go to https://***.scm.azurewebsites.net and click Environment and get the MSI_SECRET



public static async Task<HttpResponseMessage> GetToken(string resource, string apiversion)  {

    HttpClient client = new HttpClient();

    client.DefaultRequestHeaders.Add("Secret", Environment.GetEnvironmentVariable("MSI_SECRET"));

    return await client.GetAsync(String.Format("{0}/?resource={1}&api-version={2}", Environment.GetEnvironmentVariable("MSI_ENDPOINT"), resource, apiversion));

}


For more details, you could refer to this article and this one.






share|improve this answer













1.Open MSI in function app



In your function app , navigate to Platform features, select Identity and switch Status to On. Click Save.



enter image description here



2.Permissions and Roles for the Managed Service Identity



Give Service Principal permission to get some Directory data like user information from my Azure AD. The following Azure AD commands adds my service principal to the AD Directory Role Directory Readers:
enter image description here



3.Get token



As you have turn on MSI in Azure function, you could go to https://***.scm.azurewebsites.net and click Environment and get the MSI_SECRET



public static async Task<HttpResponseMessage> GetToken(string resource, string apiversion)  {

    HttpClient client = new HttpClient();

    client.DefaultRequestHeaders.Add("Secret", Environment.GetEnvironmentVariable("MSI_SECRET"));

    return await client.GetAsync(String.Format("{0}/?resource={1}&api-version={2}", Environment.GetEnvironmentVariable("MSI_ENDPOINT"), resource, apiversion));

}


For more details, you could refer to this article and this one.







share|improve this answer












share|improve this answer



share|improve this answer










answered Jan 2 at 7:12









Joey CaiJoey Cai

5,4701211




5,4701211













  • Wow - thank you - that's a neat Approach. One Question: if i now Need to process an E-Mail in a users Inbox, what permissions do i Need to set? Since with that Approach i don't have an app Registration i can not define scopes. How is this solved with MSI?

    – LaurinSt
    Jan 2 at 7:52











  • You could assign a Owner role to your service principal.

    – Joey Cai
    Jan 2 at 8:22











  • Owner role of what? Of an Inbox? I don't want to make it Domain admin or something similar. It just Needs to be able to Access a shared Inbox.

    – LaurinSt
    Jan 2 at 9:38






  • 1





    If no constraint is specified the app is limited to performing the operations on the resources owned by the signed-in user. For example, Mail.Read grants permission to read only mail in the mailbox of the signed-in user. You could refer to this article and this SO thread.

    – Joey Cai
    Jan 3 at 7:16



















  • Wow - thank you - that's a neat Approach. One Question: if i now Need to process an E-Mail in a users Inbox, what permissions do i Need to set? Since with that Approach i don't have an app Registration i can not define scopes. How is this solved with MSI?

    – LaurinSt
    Jan 2 at 7:52











  • You could assign a Owner role to your service principal.

    – Joey Cai
    Jan 2 at 8:22











  • Owner role of what? Of an Inbox? I don't want to make it Domain admin or something similar. It just Needs to be able to Access a shared Inbox.

    – LaurinSt
    Jan 2 at 9:38






  • 1





    If no constraint is specified the app is limited to performing the operations on the resources owned by the signed-in user. For example, Mail.Read grants permission to read only mail in the mailbox of the signed-in user. You could refer to this article and this SO thread.

    – Joey Cai
    Jan 3 at 7:16

















Wow - thank you - that's a neat Approach. One Question: if i now Need to process an E-Mail in a users Inbox, what permissions do i Need to set? Since with that Approach i don't have an app Registration i can not define scopes. How is this solved with MSI?

– LaurinSt
Jan 2 at 7:52





Wow - thank you - that's a neat Approach. One Question: if i now Need to process an E-Mail in a users Inbox, what permissions do i Need to set? Since with that Approach i don't have an app Registration i can not define scopes. How is this solved with MSI?

– LaurinSt
Jan 2 at 7:52













You could assign a Owner role to your service principal.

– Joey Cai
Jan 2 at 8:22





You could assign a Owner role to your service principal.

– Joey Cai
Jan 2 at 8:22













Owner role of what? Of an Inbox? I don't want to make it Domain admin or something similar. It just Needs to be able to Access a shared Inbox.

– LaurinSt
Jan 2 at 9:38





Owner role of what? Of an Inbox? I don't want to make it Domain admin or something similar. It just Needs to be able to Access a shared Inbox.

– LaurinSt
Jan 2 at 9:38




1




1





If no constraint is specified the app is limited to performing the operations on the resources owned by the signed-in user. For example, Mail.Read grants permission to read only mail in the mailbox of the signed-in user. You could refer to this article and this SO thread.

– Joey Cai
Jan 3 at 7:16





If no constraint is specified the app is limited to performing the operations on the resources owned by the signed-in user. For example, Mail.Read grants permission to read only mail in the mailbox of the signed-in user. You could refer to this article and this SO thread.

– Joey Cai
Jan 3 at 7:16




















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53996630%2fprocessing-meeting-requests-from-azure-logic-app-with-azure-functions%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

MongoDB - Not Authorized To Execute Command

Image
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 I have successfully enabled authorization on MongoDB and I have created an account on the admin database and then I created an account for my database called test. The following connection string to connect to my test database works successfully: mongo --host 192.168.17.52 --port 27017 -u user1 -p password --authenticationDatabase test Only problem I have now is, I cannot execute commands such as: show dbs. I get the following error when I try to do so: "errmsg" : "not authorized on admin to execute command { listDatabases: 1.0, lsid: { id: UUID("a1d5bc0d-bc58-485e-b232-270758a89455") }, $db: "admin...
Read more

How to fix TextFormField cause rebuild widget in Flutter

Image
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 I've got the same issue at #9280. I tried all solutions from that topic with/without GlobalKey for Scaffold and Form but the problem wasn't fixed. I tried to build a authentication form with login and signup. But the keyboard doesn't show when I tap the TextFormField at the first time. Then I try to input some letter from physical keyboard, the widget is rebuilt. Like this: login screen Nothing to be log when I run flutter run --verbose, so I logged manually. Every tapping on field, the widget called dispose -> init -> build. [√] Flutter (Channel beta, v1.0.0, on Microsoft Windows [Version 10.0.17763.195], ...
Read more

in spring boot 2.1 many test slices are not allowed anymore due to multiple @BootstrapWith

Image
1 I tried to upgrade a yummy sandwich made of two test slices (@JsonTest and @JdbcTest in my case, crunchy test code in between) adding spring boot 2.1 flavour to it. But it seems it was not much of a success. I cannot annotate my tests with many @...Test since they are now each bringing their own XxxTestContextBootstrapper. It used to work when they all used same SpringBootTestContextBootstrapper. @RunWith(SpringRunner.class) @JdbcTest @JsonTest public class Test { @Test public void test() { System.out.printn("Hello, World !"); } } The error I get from BootstrapUtils is illegalStateException : Configuration error: found multiple declarations of @BootstrapWith for test class I understand I might be doing something wrong here but is there an easy way I could load both Json and Jdbc contex...
Read more