Count unread emails with mail.readbasic permission?

Michael Khalili 21 Reputation points

I'd like to use the Outlook mail REST API to count the number of unread emails a user has in their inbox with the most limited scoped permission possible. My understanding is Mail.ReadBasic might be able to do it.

Mail.ReadBasic allows the app to read email in the signed-in user's mailbox, except for body, bodyPreview, uniqueBody, attachments, extensions, and any extended properties. Does not include permissions to search messages.

Is read/unread status available to me with Mail.ReadBasic or is it considered an "extended permission"?

Could I use the User List Messages endpoint with "filter=isRead ne true" or do I need "permission to search messages" to use List Messages with a filter?


Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,126 questions
0 comments No comments
{count} votes

Accepted answer
  1. Danstan Onyango 3,816 Reputation points Microsoft Employee

    isRead property is available with Mail.ReadBasic and I believe you can use it for the purpose. Try the sample below using Graph Explorer and see.

    GET ne true&$select=isRead
        "@odata.context": "$metadata...,
        "value": [
                "@odata.etag": "W/\"CQAAABYAAAC7HU...\"",
                "id": "AAMkAGFhNjVkOTU3...",
                "isRead": false
    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Michael Khalili 21 Reputation points

    Thanks @zemuldo !

    I tried the query in graph explorer but I'm confused about the results.

    When I run the query without the $select filter, I get the entire message contents. However, the permissions tab says "One of the following permissions is required to run the query" and it lists Mail.ReadBasic as one of those permissions. That makes me think any one of the listed permissions are required, not that I need all the listed permissions.

    So, according to the permissions tab, Mail.ReadBasic is enough to run the following query:$filter=isRead ne true

    But if you look at the results in my screenshot, I got the body tag with the results which shouldn't be allowed with only ReadBasic.

    It partially makes sense because I shouldn't need both Mail.Read and Mail.ReadWrite for the results. Either one of those on their own should work but it doesn't make sense that Mail.ReadBasic would be sufficient on its own.

    I tried to login and consent to only Mail.ReadBasic but the consent option for ReadBasic is broken. I get a console error "ServerError: The provided value for the input parameter 'scope' is not valid. The scope 'Mail.ReadBasic openid profile' does not exist."

    What is my misunderstanding? Thanks for your help!


  2. Michael Khalili 21 Reputation points

    When I'm not logged in, there's no option to consent (attached screenshot). When I am logged in, the option to consent for Mail.ReadBasic is broken. The popup window that asks me to confirm the consent opens and immediately closes. The console shows this error "ServerError: The provided value for the input parameter 'scope' is not valid. The scope 'Mail.ReadBasic openid profile' does not exist."

    However, I'd say your test results are enough for me to confirm that ReadBasic does what I'm looking for. Based on this, I can invest more time in the project and move it forward.

    Thanks taking the time to help me confirm how ReadBasic works!