Accessing refresh token (lifetime) for microsoft graph api's for outlook

sudarshan Dhatrak 0 Reputation points
2024-05-02T13:51:24.5033333+00:00
I have a server side application which needs to access  emails of all employees of my organization for statistics purpose (using apis) . I am going to  use  oauth to get the access of my employees outlook accounts by sending them oauth authorization links over mail. Is there a direct way to access my employees emails using admin account api's ? If I take individual consents from them, I want to make the refresh token life time infinite so that I dont need to send mails to my employees again and again for their oauth consent approval. Or there is any other way like running crons to update the refresh token for individual user to make its lifetime forever. 
Outlook
Outlook
A family of Microsoft email and calendar products.
3,091 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,798 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Yakun Huang-MSFT 705 Reputation points Microsoft Vendor
    2024-05-03T06:04:59.33+00:00

    Hi @sudarshan Dhatrak

    That's okay, you can use an admin account to access emails for all employees, but admin account needs to be granted delegated permissions by all employees, this seems like a lot of work.

    The link can be found on how to grant delegated permissions to an admin account for an employee account:

    https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/give-mailbox-permissions-to-another-user?view=o365-worldwide#read-email-in-another-users-mailbox

    Access the delegated folder via the Graph API for more details:

    https://learn.microsoft.com/en-us/graph/outlook-share-messages-folders

    For refresh tokens, the maximum validity period is 90 days, and we can't set token lifetime policies for refresh tokens.

    1

    Finally, for the question that you need to access all your employees' mailboxes, I recommend using the client credentials flow, which doesn't require the other users to sign in or grant the appropriate delegated permissions, we just need to grant the app application permission (mail.read) to get all the users' mailboxes.

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    0 comments No comments