Using OAuth 2.0 Client Credentials token able to read all oranization emails. Need to restrict to specific email.

Om Sai Eswar, Mulakaluri 0 Reputation points
2023-05-08T13:29:19.77+00:00

Hi Team,

I registered the App for my outlook email and provided the permission to read the email by using the OAuth 2.0 Client Credentials.

But the issue is i can able to read all the emails of the organization people using that token.

Is there any way to restrict only the token should work for specific email .

Thanks,

Omsai M.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,112 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Dillon Silzer 54,931 Reputation points
    2023-05-08T15:12:16.6033333+00:00

    Hello,

    Please see the following documentation:

    Get access on behalf of a user

    https://learn.microsoft.com/en-us/graph/auth-v2-user

    My guess is you are using Read.All permissions. This kind of permissions will allow you to read all user's information in your tenant.


    If this is helpful please accept answer.

    0 comments No comments

  2. CarlZhao-MSFT 39,021 Reputation points
    2023-05-09T08:22:13.3333333+00:00

    Hi @Om Sai Eswar, Mulakaluri

    You can restrict application permissions to specific Exchange Online mailboxes by configuring application access policies.

    User's image

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.


  3. Om Sai Eswar, Mulakaluri 0 Reputation points
    2023-05-10T09:23:39.7433333+00:00

    From the Graph API like read all messages is not showing any result , after removed the "Read.All" permissions.

    But with the help of Inboxmessages we can abel to read those.

    https://graph.microsoft.com/v1.0/users/<Email>/messages is not working

    but https://graph.microsoft.com/v1.0/users/<Email>/mailFolders/Inbox/messages

    this is one is working.

    We need to restricted to the single email but i can able to read all other email messages also.

    0 comments No comments