MSGraph permissions help

[ijeries]

Hi


Would anyone please be able to help me find/work out which permissions are missing from the below setup in order for ParseDMARC to pull reports from a shared mailbox on MS office 365 (business/paid for) using MSGraph?

The shared mailbox has a valid license attached and I can logon to it via a browser. I can also see/read the dmarc reports in browser.

ParseDMARC is on the latest version 8.15.0.

Here are the parseDMARC config:

[general]

save_aggregate = True

save_forensic = True

[mailbox]

watch = True

delete = True

reports_folder = Inbox

batch_size = 1000

[msgraph]

enabled = True

user = 

password = 

mailbox = 

auth_method = ClientSecret

tenant_id = 

client_id =

client_secret =

I've created an Azure app + granted the following permissions:

• 
Read.Mail
• 
Mail.Read.Shared

• Mail.ReadWrite

• Mail.ReadWrite.Shared

• Offline_access

• Openid

I currently see the following error:


Sep 10 16:17:01 Server01 systemd[1]: Stopped parsedmarc mailbox watcher.
Sep 10 16:17:01 Server01 systemd[1]: Started parsedmarc mailbox watcher.
Sep 10 16:17:02 Server01 parsedmarc[56889]: ERROR:cli.py:1406:Mailbox Error
Sep 10 16:17:02 Server01 parsedmarc[56889]: Traceback (most recent call last):
Sep 10 16:17:02 Server01 parsedmarc[56889]: File "/opt/parsedmarc/venv/lib/python3.10/site-packages/parsedmarc/cli.py", line 1385, in _main
Sep 10 16:17:02 Server01 parsedmarc[56889]: reports = get_dmarc_reports_from_mailbox(
Sep 10 16:17:02 Server01 parsedmarc[56889]: File "/opt/parsedmarc/venv/lib/python3.10/site-packages/parsedmarc/init.py", line 1446, in get_dmarc_reports_from_mailbox
Sep 10 16:17:02 Server01 parsedmarc[56889]: connection.create_folder(aggregate_reports_folder)
Sep 10 16:17:02 Server01 parsedmarc[56889]: File "/opt/parsedmarc/venv/lib/python3.10/site-packages/parsedmarc/mail/graph.py", line 123, in create_folder
Sep 10 16:17:02 Server01 parsedmarc[56889]: parent_folder_id = self._find_folder_id_with_parent(
Sep 10 16:17:02 Server01 parsedmarc[56889]: File "/opt/parsedmarc/venv/lib/python3.10/site-packages/parsedmarc/mail/graph.py", line 245, in _find_folder_id_with_parent
Sep 10 16:17:02 Server01 parsedmarc[56889]: raise RuntimeWarning(f"Failed to list folders."
Sep 10 16:17:02 Server01 parsedmarc[56889]: RuntimeWarning: Failed to list folders.{'error': {'code': 'ErrorAccessDenied', 'message': 'Access is denied. Check credentials and try again.'}}
Sep 10 16:17:03 Server01 systemd[1]: parsedmarc.service: Main process exited, code=exited, status=1/FAILURE
Sep 10 16:17:03 Server01 systemd[1]: parsedmarc.service: Failed with result 'exit-code'.

Thank you!

[seanthegeek]

There might be a delay in the permissions being applied. #483 (comment)

[ijeries]

Thanks you @seanthegeek appreciate the response.

[ijeries]

Sharing my solution below before closing this issue in the hope it helps others.

o356 = Microsoft Office 365 (business/paid for subscription)
App = ParseDMARC app created within the o365 tenant

======= o365 setup ===========

1. In o365 Entra - create a ParseDMARC app
2. Edit the app ==> API permission option + grant the ParseDMARC app permissions:
   Type: Select MS Graph ==> then application permission
   Search for + apply permission: Mail.ReadWrire
   Hit the Grant Admin consent for ...
3. Open o365 exchange and do the following:
   a) Create a mail enabled security group
   b) Make the shared mailbox a member of this mail enabled security group.

=========== o365 powershell =======

1. Using PowerShell, connect to Exchange Online - https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access
2. Run the following cmdlet to limited the o365 ParseDMARC app access to the shared mailbox only.
   Note: by default, the above app permission grants access to all mailboxes.

New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId "<CLIENT_ID>" -PolicyScopeGroupId "<mail-enabled-security-group email>" -Description "Restrict ParseDMARC app access to the reports shared mailbox only."

3. Within PowerShell, use the following to test the permission are only granted to the required mailbox/resource:
   Test-ApplicationAccessPolicy -Identity <e-mail> -AppId "ID string"

========== parsedmarc.ini working config: ========

[general]
# save DMARC rua and ruf reports to Splunk, True/False. 
save_aggregate = True
save_forensic = True

[mailbox]
watch = True
delete = True
reports_folder = Inbox
batch_size = 1000

[msgraph]
## access via MS graph API. Can only read content of declared shared mailbox.
enabled = True
mailbox = <e-mail of shared mailbox>
auth_method = ClientSecret
tenant_id = <string>
client_id = <string>
client_secret = <string>

Restart the parsedmarc services and check status using:

sudo systemctl daemon-reload
sudo systemctl enable parsedmarc.service
sudo service parsedmarc restart
sudo service parsedmarc status
sudo journalctl -eu parsedmarc