In graph api, if an admin consents to the delegated OAuth flow on behalf of their organization, if we call the mail api then we get access denied, even with Mail.Read permissions.
If we go into the admin portal for a particular user, then share the mailbox with the admin, then it works. In our use case we want to use graph api to read email on behalf of external tenants. We would like to make this seamless and secure for the administrator and are considering the Delegated OAuth flow in the graph api, but it appears that it doesn't work unless the admin logs into the admin portal and configures that manually or via power-shell.
So this leads to two questions (1) is there a way to read all users mail on behalf of organization, via delegated oauth flow with admin grant? (2) Is there a way to use Graph api to make the users mailbox managed by an an administrator?
For now we are looking into the client flow, but there some complications with that as well, so we wanted to be sure there is no good way to do this with the delegated flow