Reputation: 55
Microsoft Graph API - List all Users who have access to a mail item?
I want to be able to have a list of all users who can view a certain mail item. As an admin on the frontend on exchange online, I can view all my users mail, but when i call to the API I only return my mail. I want to be able to make calls to see exactly who has permission to view each mail item, and cannot find a way through the api.
I can get a list of all users, and a list of all mail for each user, a list of all mailboxes, a list of all groups, but not permissions on each mail item
GET /users/{id | userPrincipalName}/messages
returns all the mail, but mail items come with the following structure:
{
"bccRecipients": [{"@odata.type": "microsoft.graph.recipient"}],
"body": {"@odata.type": "microsoft.graph.itemBody"},
"bodyPreview": "string",
"categories": ["string"],
"ccRecipients": [{"@odata.type": "microsoft.graph.recipient"}],
"changeKey": "string",
"conversationId": "string",
"createdDateTime": "String (timestamp)",
"flag": {"@odata.type": "microsoft.graph.followupFlag"},
"from": {"@odata.type": "microsoft.graph.recipient"},
"hasAttachments": true,
"id": "string (identifier)",
"importance": "String",
"inferenceClassification": "String",
"internetMessageHeaders": [{"@odata.type": "microsoft.graph.internetMessageHeader"}],
"internetMessageId": "String",
"isDeliveryReceiptRequested": true,
"isDraft": true,
"isRead": true,
"isReadReceiptRequested": true,
"lastModifiedDateTime": "String (timestamp)",
"parentFolderId": "string",
"receivedDateTime": "String (timestamp)",
"replyTo": [{"@odata.type": "microsoft.graph.recipient"}],
"sender": {"@odata.type": "microsoft.graph.recipient"},
"sentDateTime": "String (timestamp)",
"subject": "string",
"toRecipients": [{"@odata.type": "microsoft.graph.recipient"}],
"uniqueBody": {"@odata.type": "microsoft.graph.itemBody"},
"webLink": "string",
"attachments": [{"@odata.type": "microsoft.graph.attachment"}],
"extensions": [{"@odata.type": "microsoft.graph.extension"}],
"multiValueExtendedProperties": [{"@odata.type": "microsoft.graph.multiValueLegacyExtendedProperty"}],
"singleValueExtendedProperties": [{"@odata.type": "microsoft.graph.singleValueLegacyExtendedProperty"}]
}
this doesnt contain anything about the full permissions on the item. Does anyone know of a way to get this?
Upvotes: 0
Views: 2611
Answers (2)
Reputation: 151
You can't get item level permission as item doesn't store ACL associated with it. You can, however, get Folder level permission by querying PR_NT_SECURITY_DESCRIPTOR (0x0E270102) on the folder.
I actually wrote script for this based on my old REST API client engine: Start-MailboxFolderPermissionReport
I can, if script isn't enough, write C# way of doing it through Graph Managed API
Upvotes: 2
Reputation: 2292
There doesn't appear to be a way to expose mailbox or folder permissions through the Graph API. These are available through the Exchange Online PowerShell module e.g. Get-MailboxFolderPermission.
Upvotes: 0
Related Questions
- What is the Correct Microsoft Graph API Permission for Reading Mailbox to specific user only
- Microsoft graph API how to query mails sent to specific address
- Give mailbox permissions from graph api
- MsGraph WebAPI access a shared mailbox
- using microsoft graph api to read mail behalf of users in the enterprise
- Can I get a list of all Shared Mailboxes using Microsoft Graph Api
- how to Get access to shared mailbox using Microsoft Graphs
- Microsoft Graph API - Outlook - Get all members from an organisation
- How to list users in group email in Microsoft Graph?
- Retrieving Shared Mailbox Access from Microsoft Graph/Office 365 API