2

I'm currently getting an Exchange Identity-Token via an Outlook Add-In. To validate this, I check if the part "msExchUid" of the token matches the field "msExchMailboxGuid" of my Active Directory.

Now I'm trying to do a similar check against the Azure Active Directory. The recommented way (by Microsoft) to get information from Azure is using Microsoft Graph. But after hours of research I found no way to get this specific MailboxGuid via Microsoft Graph.

I tried several REST-calls in the Graph-Explorer but neither "https://graph.microsoft.com/v1.0/me/mailboxsettings" nor "https://graph.microsoft.com/v1.0/me" did return the value I am looking for.

The only thing I found was the Outlook API which hands me the value named as "x-mailboxGuid" in the response-header when calling "https://outlook.office.com/api/beta/me/mailboxsettings".

But as Microsoft itself recommends to use Microsoft Graph for everything, I want to get the mailbox guid from there.

So my question is: Is there any way to get this value via Microsoft Graph?

André Frings
  • 119
  • 1
  • 5
  • 15
  • 1
    It's possible it's missing. Some people from the Graph team do monitor SO, so hopefully one of them can reply :) – juunas Sep 13 '19 at 13:47
  • What are you ultimately trying to do? Tokens are issued by Azure AD, so validating them does not necessarily require calling Microsoft Graph. – Paul Schaeflein Sep 13 '19 at 22:45
  • @PaulSchaeflein I've got a db-table that contains a sync of an AD respectively an Azure AD. Now I receive the Exchange ID-Token from my frontend and hand it to the backend, where I have to validate the token and finally find out, for which identity this token was issued, to get this user from my database. But the only information that is carried by the token and can help to identify the user is the field "msExchUid" (https://docs.microsoft.com/de-de/outlook/add-ins/authenticate-a-user-with-an-identity-token#validate-the-token). And I don't get this value from AAD during my sync process. – André Frings Sep 16 '19 at 06:08
  • Microsoft Graph is user-based, and it uses the [id property of the user resource](https://learn.microsoft.com/en-us/graph/api/resources/users?view=graph-rest-1.0) to uniquely identify the users. The sync process will work best using that id. – Paul Schaeflein Sep 16 '19 at 12:04

1 Answers1

1

You can use AutoDiscover to get that either the authenticate SOAP/POX version of the new v2 Autodiscover endpoint which you get with just an unauthenticated get to eg

Invoke-WebRequest https://outlook.office365.com/autodiscover/autodiscover.json/v1.0/user@domain.com?Protocol=Rest

And the Exchange Guid will be returned in the X-MailboxGuid header, the Exchange Guid isn't really considered private information so can you use that request to get anybodies Exchange guid that's hosted on Office365.

Glen Scales
  • 20,495
  • 1
  • 20
  • 23
  • 1
    I think Microsoft have removed the X-MailboxGuid header from the AutoDiscover request. It's not in the Headers anymore when I tested today. – Brian Overby Oct 11 '21 at 07:21