![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 51%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EQ%3C/text%3E%3C/svg%3E)
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,679 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 2%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hello @Quarfie , thank you for reaching out. In your scenario, I would definitely prefer using Application Permissions. Let me explain to you why I prefer using application permissions here.
Delegated Permissions are mostly used for Users, where they can go ahead and interactively sign in. Once authenticated and authorized by the IDP using OIDC or OAuth 2.0 (Auth-Code Grant Flow) protocols, the user is presented with a pair of access-tokens and refresh-tokens. Where the access-token is valid for 1 hour by default and then the refresh token is used to fetch another access-token valid for another 1 hour. Now technically you can use the refresh token until revoked and keep refreshing the access-token. If the refresh-token sits idle for more than 90 days, that's when another interactive login would be required as the refresh token would have got invalidated after 90 days.
Note: There is a non-interactive way of fetching token from AAD, i.e using the Resource-Owner-Password-Grant Flow (ROPC) of OAuth, but then we always recommend using this flow, as, in this flow, your username and password would be available in the application code, which is a big security risk.
Application Permissions are mainly for services where there is no option of interactive login to supply the application's credentials to the IDP. Hence in these cases, Client-Credentials flow is used, where the application's ID and secret are present in the request sent to the token endpoint of AAD. In this flow of OAuth, no refresh-token is issued, but then the application has to reach out to AAD every 1 hour to get a new access-token. When the access token is issued to the application, the token's aud (audience) property would have "https://graph.microsoft.com" and the roles property would contain the permission this application brings in with itself. Now, these are the two fields that Graph API would majorly look into to authorize the access of the application. Hence there is no way to restrict the application from accessing its own mailbox. You can surely code your application to make calls to the application's own mailbox.
Hope this helps.
Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query.