graph api: Application - Email limited permissions.

David Harrison 36

Hi all,

A little background.
I've created a console app that gets called via task scheduler.
using graph api sdk, It reads all emails in the inbox for a given mail account and downloads the attachments for further processing. then moves the email to an archive folder.
All works great..

problem
When I setup the azure app registration permissions for mail.readwrite its for application because there is no user intervention.
I found this level of permission allows access to any mail box in the organisation, which is not what we want.

How do I lock this down to a single mail account?

tia
Dave

Ishwari Thakur 16 Reputation points

2022-12-02T10:19:33.843+00:00

Did you found the solution for it?
Even I am facing the same issue.
Which api permissions did you select and what are other settings made in order to achieve your use-case?
David Harrison 36 Reputation points

2022-12-02T10:59:57.103+00:00

Hi Ishwari,

Yes, (my scenario was based on a large enterprise environment)
In the end, I had to get our Exchange/office 365 administrators to lock down the app registration to only one account rather then it being open to all.

So I believe that the app registrations can be locked down at exchange level?

Dave
Ishwari Thakur 16 Reputation points

2022-12-02T11:04:58.427+00:00

Hi David ,
I actually have the same issue.
My use-case needs me to download email attachments from a specific user and mark the email as "READ".
The issue is I can read email of all other users in my organization too.
How exactly did you resctrict it for a single user?
Can you guide me how did you managed to lock down the app registration to only one account.
David Harrison 36 Reputation points

2022-12-02T11:54:14.777+00:00

read this.. it should help

https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users
Ishwari Thakur 16 Reputation points

2022-12-02T12:03:18.893+00:00

I have already set the " User assignment" required to "Yes".
Still I am able to read other users emails.

Accepted answer

Shivam Dhiman 5,946 Reputation points

2022-09-01T20:54:44.497+00:00

Hi @David Harrison

Application access policy will help you in this scenario. Please refer to this documentation for more details https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access .

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote. If you have any further questions about this answer, please click Comment.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

1 additional answer

David Harrison 36 Reputation points

2022-09-05T14:22:54.59+00:00

thank you, I'll try to get this implemented and see if it resolves..

thanks
Please sign in to rate this answer.

1 person found this answer helpful.
Shivam Dhiman 5,946 Reputation points

2022-09-14T09:31:57.747+00:00

Hi @David Harrison

If the answer was helpful, please click Accept Answer and kindly upvote.
Sign in to comment