This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 53%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPP%3C/text%3E%3C/svg%3E)
Hi Team,
I want to read emails received in my organizations SharedMailBox though an inhouse API using Graph API. In order to do so I registered an application in MS Entra. Went to API permissions > Microsoft Graph > Application permissions, and then gave Mail.Read permissions. I was able to get the email data via the Graph api https://graph.microsoft.com/v1.0/users/{{mailbox email id}}/messages. But problem is that it gives me access to all the mailboxes including user mailbox. If I use delegated permissions, then I do not have any login associated with my SharedMailbox to give access to the application.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 46%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
If you want to use app level permissions so it can be fully automated, you would want to setup an App access policy in exchange and scope it to the one shared mailbox. That way you can run an unattended script/process to collect the data from the mailbox, but your app wouldn't have access to any other mailboxes
https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access
When using delegate permissions, the user under whose identity your code is running will need to have Full access permissions on the mailbox (which in turn means the user must have a mailbox on his own). On the Graph API side, make sure the Mail.Read.Shared scope has been granted. Then, use a request such as:
https://graph.microsoft.com/v1.0/users/******@domain.com/messages?$top=1
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 3%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDT%3C/text%3E%3C/svg%3E)
Posted by mistake.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 28.000000000000004%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJA%3C/text%3E%3C/svg%3E)
Where can I grant the Mail.Read.Shared permission? It doesn't come up in the modify permission section of Graph Explorer and I can't find it in Entra ID under enterprise Apps-> Graph Explorer.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 10%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVP%3C/text%3E%3C/svg%3E)
If you want to access a shared mailbox, you can use the Mail.Read.Shared or Mail.ReadWrite.Shared permissions. These permissions only work for delegated permissions. You can access the shared mailbox and its messages like the following: https://graph.microsoft.com/v1.0/users/{sharedmailboxmailaddress}/messages.