Is DistinguishedFolderId 'inbox' guaranteed to exist? - exchange-server

In Exchange Web Services we used to check connectivity by looking for the 'calendar' DistinguishedFolderId for the logged in user:
What is the simplest EWS call to test connectivity?.
Our synchronization codes relies on calendars being shared with that logged in user (delegate access).
We found out that the logged in user does not necessarily have a 'calendar' DistinguishedFolderId. It looks like admins sometimes forget to create a calendar for that user (?). For the synchronization this is not an issue, because nothing needs to be accessed in that users calendar. But the connectivity test fails because of this.
I have now switched to quering DistinguishedFolderId 'inbox' using GetFolder for the connectivity test (and still look up 'calendar' for all the users that need to have their calendars synced).
But this brings up the question:
Is DistinguishedFolderId 'inbox' guaranteed to exist for an Exchange user?
We are talking about Windows AD users.

Default folders, such as the Inbox folder, can't be deleted.

Related

Is there a way to pull all exchange events for a specific room using graphAPI

Reviewing this, but not clear. Not looking to do this for just my user and can run with elevated application rights with access to all calendars.
https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/calendar_list_events
Yes you just need to make sure you give your application the following permission
Calendars.Read.Shared Read user and shared calendars Allows the app to read events in all calendars that the user can access, including delegate and shared calendars.
ref https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference
So as long as the calling account then has access to the Room Mailbox (eg via Delegation so they can access the same thing in Outlook etc) you just use the following endpoint
https://graph.microsoft.com/v1.0/users('room#domain.com')/calendar/events

Unable to perform GSuite Service Account Directory API call without known user

I've created a service account in G-Suite and delegated it domain wide authorization so that I can collect information on all the Drives within the suite.
The problem I've come across is that I need a list of all the users within the domain. To do so I can call the Directory API, but the problem is that I actually need to do that as one of the admins. The problem is that I can't know who the admins are without using one of the admins(or users? I confirmed the call to the directory API with a superadmin account). Is there a way to call the Directory API without a user email? Or is there a way to as the service account to get a list of the admins so that I can make API calls on their behalf?
To use Directory API, you must** impersonate one of the admins of the domain, as you say. There really isn't any way around it (as far as I'm aware) - you must ask the admin who's installing your app to provide their email address.
** For some activities, like listing all users, you can impersonate an end user, but that doesn't solve your problem.

Errors accessing Shared/Room Calendars through Microsoft Graph API

I'm making an application that requires access to the shared/room-resource calendars in an Office 365 instance, using non-admin accounts. I've registered an app (in the Microsoft Application Registration Portal) using the V2 endpoint and Auth Code Grant. This successfully allows me to log in, and gives me a functional token with the Calendars.ReadWrite.Shared scope. With this token, I can retrieve my own calendars, and calendars that have been explicitly shared with me (and therefore added to my list of calendars). All of this is doable with just the normal Calendars.ReadWrite scope.
However, I get errors when requesting access to any other shared calendars, like the room calendars. Here's an example. If I make a GET call to https://graph.microsoft.com/beta/users/my-own-email#business.com/calendars it successfully returns a list of my calendars. If I make a GET call to https://graph.microsoft.com/beta/users/meetingroom1.4#business.com/calendars I get a 404 (Not Found) Error. The same error occurs for any other user, not just meeting rooms. Note that I can see these calendars when I'm logged into Office 365 online with the same account.
A different error occurs if I ask for events not calendars. If I make a GET call to https://graph.microsoft.com/beta/users/meetingroom1.4#business.com/events, I get a 500 (Internal Server) Error.
I've checked all the other threads I can find on the issue, and this one from November How to access shared calendars from Office REST API? says there's some kind of blocking issue on Microsoft's end. It's using the Office REST API rather than Graph, but on the back-end the APIs call the same stuff. Is this issue still about? Alternatively, am I missing some further permissions? I tried adding quite a few different permissions on top of Calendars.ReadWrite.Shared, but none of them fixed it. Is there a correct combination?
Thanks so much for any help, and let me know if any other info would be useful for diagnosis.
So if anyone else happens to be interested in this, I figured out a way to access room resource calendars without using the Calendars.ReadWrite.Shared permission. This allows you to use just the Calendars.ReadWrite permission to access the room resources, by moving them into the list of calendars of the email you're authenticating with. However, it will only work for specific accounts that you share the calendars with, so won't be usable in apps that have to work for any account. This is good enough for my use-case, but may not be for yours.
First, find or make an account that is a delegate to, and has full access to, the room resource calendar you want to use. On that account click 'Open another mailbox' in the dropdown list under your profile image.
Open another mailbox location
In the pop-up that follows, put in the email address of the room resource calendar that you want to use.
Then, on the new page that opens (which should be the Office account of the room resource calendar):
Navigate to the calendar page
Click 'Share'
Share the default calendar with the account you plan to authenticate with.
Then log into that 'authentication' account, check its email for the notification of the shared calendar, and click 'accept'. What this will do is move the calendar into the authenticated account's list of calendars, meaning you can access it with just a call to the https://graph.microsoft.com/v1.0/me/calendars endpoint. You'll have to repeat it for every calendar you want to be able to access, sadly.

Is is possible to set the email address or name of a Google Service Account?

Our platform is using a Google Service Account to create folders on Google Drive and share the folders with some of our end users. Think of it as a replacement for the traditional hot folders on an ftp site.
The problems may seem minor but when the end-user sees our shared folder the owner appears as the service account email address which is pretty ugly and I'm assuming not meant for end-user viewing: "178235058172-hi96h0con2ipmnli26tn17bdodb5ba4c#developer.gserviceaccount.com". It's also the sender email address when the user receives the "I've shared an item with you" email when we share the folder with them.
Is there any way to have the email address be the name of our service? or a way to change the name of the owner of the shared folder?
It is not possible to change the name of the service account. Nor is it possible to give it a name.
You could crate a dummy gmail account for the company. grant it owner. Give the service account write access to it.
However if the service account shares the folder with someone its still going to show as the service account has shared the item with them.
Only real work around I can think of would be to use Oauth2, authenticate the code once so you have a refresh token. Then use the refresh token to gain access faking a service account. Its not truly a service account and if something happens to the refresh token you are going to have to reauthentcate.

Access user accounts in a domain without administrator rights

I am making a very simple marketplace app using the new SDK (Oauth 2.0). One of the steps would be to automatically invite team members for a closed group so I would need access to team members (users in same domain) from the user that is starting the process going through the default "navigator icon in google navigation menu".
This is working fine, however it is only working for administrators (tried with both Directory API and Profiles data API).Is there a way to simply "read" the email from users without needing to have administrator rights? It seems quite an overkill to ask a user to be administrator just for the purpose of being able to invite his team members.
These email addresses are in the user contact list for example, when writing an email they are automatically there so it shoulnt be much of permission problem I guess. can anyone help a bit on how I can accomplish this? Maybe a different API that I have not found?
Very much appreciated,
Best regards,
Joao Garin
You can use "Service Accounts" to access the Directory API on behalf of the Administrator when any user accesses the App.
The Drive API has a really good set of samples here - https://developers.google.com/drive/delegation
This same technique will work with Admin SDK. The end result is the auth is not made on behalf of the user at the keyboard but as an authorized Service Account. This Service Account is authorized by the admin at the time of install.

Resources