This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Outlook add-ins specify the required permission level in their manifest. There are four available levels.
| Permission level canonical name |
add-in only manifest name | unified manifest for Microsoft 365 name | Summary description |
|---|---|---|---|
| restricted | Restricted | MailboxItem.Restricted.User | Allows access to properties and methods that don't pertain to specific information about the user or mail item. |
| read item | ReadItem | MailboxItem.Read.User | In addition to what is allowed in restricted, it allows:
|
| read/write item | ReadWriteItem | MailboxItem.ReadWrite.User | In addition to what is allowed in read item, it allows:
|
| read/write mailbox | ReadWriteMailbox | Mailbox.ReadWrite.User | In addition to what is allowed in read/write item, it allows:
|
Permissions are declared in the manifest. The markup varies depending on the type of manifest.
Note
true. For details, see Implement shared folders and shared mailbox scenarios in an Outlook add-in. With the unified manifest, specify this permission with the name Mailbox.SharedFolder in an additional object in the "authorization.permissions.resourceSpecific" array.The four levels of permissions are cumulative: the read/write mailbox permission includes the permissions of read/write item, read item and restricted, read/write item includes read item and restricted, and the read item permission includes restricted.
You can see the permissions requested by a mail add-in before installing it from AppSource. You can also see the required permissions of installed add-ins in the Exchange Admin Center.
Tip
To make sure that your Outlook add-in specifies the correct permission level, verify the minimum permission level required by each API implemented by your add-in. For information on minimum permission levels, see Outlook API reference.
The restricted permission is the most basic level of permission. Outlook assigns this permission to a mail add-in by default if the add-in doesn't request a specific permission in its manifest.
Access any properties and methods that do not pertain to specific information about the user or item (see the next section for the list of members that do).
Use the ItemHasAttachment or ItemHasRegularExpressionMatch rule.
Access the members in the following list that pertain to the information of the user or item. Attempting to access members in this list will return null and result in an error message which states that Outlook requires the mail add-in to have elevated permission.
The read item permission is the next level of permission in the permissions model.
Read all the properties of the current item in a read or compose form. For example, item.to in a read form and item.to.getAsync in a compose form.
In Exchange on-premises environments, get a callback token to get the full mail item with Exchange Web Services (EWS).
Important
Legacy Exchange tokens are deprecated. Starting February 2025, we'll begin to turn off legacy Exchange user identity and callback tokens for Exchange Online tenants. For the timeline and details, see our FAQ page. This is part of Microsoft's Secure Future Initiative, which gives organizations the tools needed to respond to the current threat landscape. Exchange user identity tokens will still work for Exchange on-premises. Nested app authentication is the recommended approach for tokens going forward.
Write custom properties set by the add-in on that item.
Use regular expressions in a contextual add-in.
Use the token provided by mailbox.getCallbackTokenAsync to:
Use any of the following APIs.
Specify read/write item permission in the manifest to request this permission. Mail add-ins activated in compose forms that use write methods (Message.to.addAsync or Message.to.setAsync) must use at least this level of permission.
Read and write all item-level properties of the item that is being viewed or composed in Outlook.
Add or remove attachments of that item.
Use all other members of the Office JavaScript API that are applicable to mail add-ins, except Mailbox.makeEWSRequestAsync.
Use the token provided by mailbox.getCallbackTokenAsync to:
Use mailbox.makeEWSRequestAsync.
The read/write mailbox permission is the highest level of permission.
In Exchange on-premises environments, the token provided by mailbox.getCallbackTokenAsync provides access to use Exchange Web Services (EWS) operations or Outlook REST APIs to do the following:
Through mailbox.makeEwsRequestAsync, you can access the following EWS operations.
Attempting to use an unsupported operation will result in an error response.
Important
Legacy Exchange tokens are deprecated. Starting February 2025, we'll begin to turn off legacy Exchange user identity and callback tokens for Exchange Online tenants. For the timeline and details, see our FAQ page. This is part of Microsoft's Secure Future Initiative, which gives organizations the tools needed to respond to the current threat landscape. Exchange user identity tokens will still work for Exchange on-premises. Nested app authentication is the recommended approach for tokens going forward.
Office Add-ins feedback
Office Add-ins is an open source project. Select a link to provide feedback:
Training
Module
Build Office Add-ins for Outlook - Training
This module walks through development of Office Add-ins for Microsoft Outlook.
Certification
Microsoft Office Specialist: Outlook (Office 2016) - Certifications
Demonstrate that you have the skills needed to get the most out of Outlook 2016 by earning a Microsoft Office Specialist (MOS) certification.