Ask AI
Skip to main content

How to Enable Access from NoCode-X to Microsoft Graph API in a Secure Manner

Use Case: Automating Email Processing with NoCode-X via Microsoft Graph API

The goal is to enable NoCode-X to securely access and process emails from a specific Exchange Online mailbox using the Microsoft Graph API. The application will perform the following tasks:

  1. Read Emails: Retrieve emails from a specific mailbox, including their attachments.
  2. Process Emails: Automate workflows in NoCode-X to handle the email content and attachments.
  3. Move Emails: After processing, move the email to a designated folder (e.g., "Processed").
  4. Flag Emails: Mark emails as "Processed" or "Unprocessed" based on the outcome of the automation.
  5. Secure Access: Ensure that the application has scoped and secure access to only the required mailbox.

This integration will streamline email handling, reduce manual effort, and ensure secure and efficient automation.

Steps to Enable Access from NoCode-X to Microsoft Graph API

1. Provision an Application Identity in Entra ID

  1. Log in to Azure Portal: Navigate to Azure Active Directory.
  2. Register a New Application:
    • Go to App Registrations and click New Registration.
    • Provide a name for the application (e.g., "NoCode-X Email Integration").
    • Choose the appropriate Supported Account Types (e.g., single tenant or multi-tenant).
    • Set the Redirect URI if required by NoCode-X.
  3. Save Application Details:
    • Note the Application (client) ID and Directory (tenant) ID for later use.

2. Assign Permissions to the Application Identity

To enable the application to interact with the mailbox, assign the following permissions:

2.1 Exchange Online Permissions

  • Permission: Mail.ReadWrite
    • Allows the application to:
      • Read emails and their attachments.
      • Move emails to another folder.
      • Flag emails as "Processed" or "Unprocessed."
  • Scope: Restrict this permission to the specific mailbox using an Application Access Policy (see Step 3).
  • After assigning the permissions, grant Admin Consent in the Azure portal to allow the application to use the assigned permissions.

3. Scope Access to a Specific Mailbox

To ensure secure access, limit the application's permissions to a specific mailbox using an Application Access Policy in Exchange Online:

  1. Connect to Exchange Online PowerShell: 
    Connect-ExchangeOnline
    ### Creating the Policy
  2. To create an Application Access Policy, use the following PowerShell command:
New-ApplicationAccessPolicy -AppId "<Application (client) ID>" `
                          -PolicyScopeGroupId "<Security Group ID>" `
                          -AccessRight RestrictAccess `
                          -Description "Restrict access to specific mailbox"

Replace the Following Values:

  • <Application (client) ID>: Use your registered application's ID
  • <Security Group ID>: Use the ID of the security group containing the target mailbox
  • <Mailbox>: Use the email address of the target mailbox
  1. Create the Policy: 
    New-ApplicationAccessPolicy -AppId "<Application (client) ID>" `
                              -PolicyScopeGroupId "<Security Group ID>" `
                              -AccessRight RestrictAccess `
                              -Description "Restrict access to specific mailbox"

4. Share the Credentials Securely

To allow NoCode-X to authenticate with the Microsoft Graph API, provide the following credentials to the NoCode-X developer in a secure manner:

  1. Application (client) ID: The unique identifier of the registered application in Entra ID.
  2. Directory (tenant) ID: The unique identifier of the Azure Active Directory tenant.
  3. Client Secret: A secret key generated in the Azure portal under the app's Certificates & Secrets section.

Security Guidelines:

  • Share these credentials securely using an encrypted channel (e.g., secure email, encrypted file sharing).
  • Alternatively, use a secure password manager to share the credentials.
  • Avoid sharing credentials over insecure channels like plain-text email or messaging apps.
  • Document the date of credential sharing and set reminders for credential rotation.

Privileges Needed for Email Processing

The following privileges are required to enable the described functionality:

1. Read Emails

  • Permission: Mail.ReadWrite
  • Purpose: Allows the application to:
    • Read emails and their attachments.
    • Access email metadata.

2. Process Emails

  • Permission: Mail.ReadWrite
  • Purpose: Enables the application to:
    • Move emails to a designated folder (e.g., "Processed").
    • Flag emails as "Processed" or "Unprocessed" using the Flag property of the email message.

3. Scope Access

  • Implementation: Use an Application Access Policy to restrict access to the specific mailbox.
  • Purpose: Ensures the application can only access the required mailbox and no others.

Summary of Steps

  1. Provision an Application Identity:

    • Register the application in Entra ID.
    • Save the Application (client) ID, Directory (tenant) ID, and Client Secret.

  2. Assign Permissions:

    • Grant the Mail.ReadWrite permission for Exchange Online.

  3. Scope Access:

    • Use an Application Access Policy to restrict access to the specific mailbox.

  4. Grant Admin Consent:

    • Approve the permissions in the Azure portal to allow the application to use them.

  5. Share Credentials Securely:

    • Provide the application credentials to the NoCode-X developer securely.

Conclusion

By following these steps, you can securely enable NoCode-X to interact with the Microsoft Graph API for email processing while maintaining strict access controls. This ensures that the application has the necessary permissions to perform its tasks without compromising security.