Azure Enterprise Apps Permissions

SenhorDolas 1,296 Reputation points
2022-02-17T11:05:58.717+00:00

Hi Everyone,

I have a in-house .net app which needs to connect to a Office365 mailbox to scrape emails (read and delete).

I don't want the app to use legacy authentication (username + password).

I know I can leverage AZ AD Enterprise Apps and grant permissions and then link the Enterprise app to the .net app.

My question is which Microsoft Graph permissions should I grant?

I looked in there and I think I need:

Mail.ReadWrite Read and write access to user mail Allows the app to create, read, update, and delete email in user mailboxes. Does not include permission to send mail
175309-screenshot-2022-02-17-105408.png

Can I grant this permissions to a single account?

Are there other defaults permissions required?

Thanks, M

Exchange Server Development
Exchange Server Development
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Development: The process of researching, productizing, and refining new or existing technologies.
540 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,597 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Manu Philip 18,151 Reputation points MVP
    2022-02-17T11:15:04.48+00:00

    I guess, granting following permissions should help
    175412-image.png

    I have created a similar post in my blog for your reference here: create-custom-folder-in-exchange-online-mailboxes-using-graph-api-using-windows-powershell

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it

    1 person found this answer helpful.

  2. Vasil Michev 103.7K Reputation points MVP
    2022-02-17T14:02:57.903+00:00

    There are two models you can use with Graph API: delegate permissions and application permissions. For the former, your app runs in the context of a given user, and the permissions it has are the subset of permissions granted to the user and the permissions granted to the app. Thus, the application will only be able to access mailboxes that the given user can access, which usually is just his own mailbox (but he might also have been granted permissions on other mailboxes). This is the most appropriate approach for your case.

    In the application permissions model, there is no user context and the application gets access to all mailboxes in the directory. The only way to restrict such permissions are the so-called application access policies: https://practical365.com/application-access-policies-in-exchange-online/

    Do note however that some operations/Graph API endpoints can only be performed by certain type of permissions, not all. So it will also depend on what your applications needs to do.

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.