question

dvdzo avatar image
0 Votes"
dvdzo asked Danstan-MSFT answered

Is there a good way to read entire organization email if admin consent via delegated flow?

In graph api, if an admin consents to the delegated OAuth flow on behalf of their organization, if we call the mail api then we get access denied, even with Mail.Read permissions.

If we go into the admin portal for a particular user, then share the mailbox with the admin, then it works. In our use case we want to use graph api to read email on behalf of external tenants. We would like to make this seamless and secure for the administrator and are considering the Delegated OAuth flow in the graph api, but it appears that it doesn't work unless the admin logs into the admin portal and configures that manually or via power-shell.

So this leads to two questions (1) is there a way to read all users mail on behalf of organization, via delegated oauth flow with admin grant? (2) Is there a way to use Graph api to make the users mailbox managed by an an administrator?

For now we are looking into the client flow, but there some complications with that as well, so we wanted to be sure there is no good way to do this with the delegated flow

azure-ad-authenticationmicrosoft-graph-mail
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @dvdzo , we are investigating your issue and will update you shortly.

Best,
James

0 Votes 0 ·

1 Answer

Danstan-MSFT avatar image
0 Votes"
Danstan-MSFT answered

As far as I know, Using delegated permissions, the signed in user even if an admin can only access another users mailbox if the mailbox is delegated or shared with the admin user. To be able to read mails of an entire tenant, that means having access to all user mailboxes.

You will be better off using application permission Mail.Read which will allow the app to read mail from users. You mentioned client flow, if you mean Client Credentials Flow then that is what I would suggest.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.