Microsoft.Graph API permissions issue

Tochi Chiang 1 Reputation point

My goal is simple. Read an delete emails from an account hosted on Office 365 from my C# Windows service.
It suddenly becomes complicated when I learned that I have to use OAuth2 via Microsoft.Graph api.
I am puzzled when requesting API permissions from Microsoft Graph.
Delegated permissions are not for me because my program is not an interactive program.
I can't use Application permissions either because I have regular access to the single email account only. No way I can get the admin to do anything special for me.
Any help?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,837 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. CarlZhao-MSFT 37,786 Reputation points

    Hi @Tochi Chiang

    There are only two kinds of permissions in MS graph, delegated permissions and application permissions. Depending on your context, application permissions are obviously not suitable, as application permissions are advanced permissions and all application permissions require administrator consent.

    Therefore, you can only use delegated permissions that users participate in, and I think delegated permissions are suitable for your scenario. Delegated permissions are not only the way of interactive login, but also the way of silent login, that is ROPC flow, you just need to hardcode username/password in your code. This way you don't need to interact in the browser, but also get the delegated user token.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Michel de Rooij 1,536 Reputation points MVP

    User Consent workflow (delegated) only works for publisher verified applications.
    For non-verified applications, you need to use the admin consent workflow.
    Seems like you're in a catch 22.