question

Quarfie-2207 avatar image
0 Votes"
Quarfie-2207 asked Quarfie-2207 commented

Delegated Permissions or Application Permissions for system messages

If you have an internal app that has its own email address within the company for system notifications, would you generally want to use Delegated Permissions or Application Permissions to read & send mail via Microsoft Graph?

If Delegated Permissions are preferable, can you generally keep refreshing the access token "forever" once there has been a manual login?

If Application Permissions are preferable, how do you restrict the app to only be able to access its own mailbox?

microsoft-graph-applicationsmicrosoft-graph-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

soumi-MSFT avatar image
1 Vote"
soumi-MSFT answered Quarfie-2207 commented

Hello @Quarfie-2207, thank you for reaching out. In your scenario, I would definitely prefer using Application Permissions. Let me explain to you why I prefer using application permissions here.

Delegated Permissions are mostly used for Users, where they can go ahead and interactively sign in. Once authenticated and authorized by the IDP using OIDC or OAuth 2.0 (Auth-Code Grant Flow) protocols, the user is presented with a pair of access-tokens and refresh-tokens. Where the access-token is valid for 1 hour by default and then the refresh token is used to fetch another access-token valid for another 1 hour. Now technically you can use the refresh token until revoked and keep refreshing the access-token. If the refresh-token sits idle for more than 90 days, that's when another interactive login would be required as the refresh token would have got invalidated after 90 days.

Note: There is a non-interactive way of fetching token from AAD, i.e using the Resource-Owner-Password-Grant Flow (ROPC) of OAuth, but then we always recommend using this flow, as, in this flow, your username and password would be available in the application code, which is a big security risk.

Application Permissions are mainly for services where there is no option of interactive login to supply the application's credentials to the IDP. Hence in these cases, Client-Credentials flow is used, where the application's ID and secret are present in the request sent to the token endpoint of AAD. In this flow of OAuth, no refresh-token is issued, but then the application has to reach out to AAD every 1 hour to get a new access-token. When the access token is issued to the application, the token's aud (audience) property would have "https://graph.microsoft.com" and the roles property would contain the permission this application brings in with itself. Now, these are the two fields that Graph API would majorly look into to authorize the access of the application. Hence there is no way to restrict the application from accessing its own mailbox. You can surely code your application to make calls to the application's own mailbox.



Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query.





· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks, that gets me started. But the main reason for my confusion is confusion over how to grant the Application Permission access to one mailbox only, as it defaults to all mailboxes.

I now see some info about this at https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access

It looks like you have to setup a security group even if it's just for one account - is that right?

0 Votes 0 ·