MsGraph WebAPI access a shared mailbox

Question

I need to read mail off a shared mailbox in a Web API. The Web API will not be running on behalf of an user and there is no user interaction. What is the flow I should use to authenticate https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows. I tried the standard authentication using an applicationID and secret but when I tried to access the shared mailbox through I got an access denied error. Also how will the maintainer of the shared mailbox grant the application access ?

Answer 1

First the delegation or sharing of a mailbox is done through the outlook client.

Microsoft Graph Shared mailbox access - documented here for shared mail folders is the same as non shared mailboxes but with the shared mailbox permissions ie Mail.Read.Shared or Mail.ReadWrite.Shared and only works for delegated permissions.

That said when it comes to flow to use, it depends on your requirements. From what you have described you should be able Client credentials flow and applications permissions Mail.ReadBasic.All, Mail.Read, Mail.ReadWrite

Another point is that if your API will not run on behalf of a user then the context of shared mailbox does not apply because Graph will consider shared access if the access token has delegated permissions but with application permissions access, it does not apply. This is why the permissions Mail.Read.Shared or Mail.ReadWrite.Shared are not available on application permissions.

To better understand:

GET /users/{id | userPrincipalName}/mailFolders.. will only work if id | userPrincipalName is not the signed in user and Mail.Read.Shared or Mail.ReadWrite.Shared are added as delegated permissions

GET /users/{id | userPrincipalName}/mailFolders.. without signed in user will not consider the mailbox as shared.