Microsoft Graph on behalf of a user or without a user

Question

I'm working on an app that is used by about 50 project managers to make quotations. When a quotation is ready, it is to be emailed to the intended customer from one of two accounts, lets call these Left and Right, depending on the postal code of the customer. We would like to use Microsoft Graph API to facilitate sending these emails. I'm confused as to whether I should get access to Graph 'on behalf of a user' or 'without a user'. The quotation is not sent from the account of the project manager that is logged into the app. It is sent from either the Left or the Right account. Thanks for any guidance!

On behalf of a user: https://learn.microsoft.com/en-us/graph/auth-v2-user

Without a user: https://learn.microsoft.com/en-us/graph/auth-v2-service

Answer 1

I think the choice depends on the way you set up your application.

The 'without a user' flow refers to a process in which there is no user that signs in. That means you need to obtain a token in that process to send an e-mail using the Graph API. If your admin has given consent to your application's permissions for sending e-mails, it is possible to send an e-mail as a given user. Rather than the user consenting on behalf of their inbox like the 'On behalf' flow, the admin can consent on behalf of all user's inboxes in a given tenant. You will need an auth token on behalf of your application and the id of the given user. Though this would personally not have my preference as technically e-mail can be sent from any e-mail address within the tenant.

You could use the 'On behalf' flow if the project managers do have access to the left or right account (like a shared inbox) and if the e-mail sending is invoked from the application itself. If it is not sent from that context, you would need to use the first option.