Reputation: 3
What is the Correct Microsoft Graph API Permission for Reading Mailbox to specific user only
Good day! I just want to ask about microsoft graph Api permission, there's too many options here but my goal is to have the full access ONLY to specific account and read the mail box such as Subject, Email Body, attachment and Sender Email, the system will read the mails from the back end from the specific account only. (like a basic auth)
I'm trying to make system to my org. I don't have the full control in azure portal, so I create API Permission request.
What option need to include in my api permission request?
I saw the "Mail.Read" Option but I think the scope of this option is to access ALL other mail account without signing in. correct me if I'm wrong, but then what I really need is for single account only.
Thank you in advance
Upvotes: 0
Views: 3116
Answers (3)
Reputation: 15906
-- goal is to have the full access ONLY to specific account and read the mail box
Can I understand your requirement as, you may want to have a user who is admin role and only this user can query mail information for all other users? If so, you must have a sign in popup window to let users sign in, then your application can validate the user to check if the signed in user is in admin role to determine whether allowing this user to query mails.
But you also mentioned "to run in background the signing in process, no pop up window", so I'm afraid that you want to allow anyone using your application to query mail on behalf on this specific user. In this scenario, I'm afraid you can using client credential flow directly with the application permission.
Upvotes: 0
Reputation: 14138
Access to Graph API is normally done one of two ways:
The permissions required for the access type are different and are documented for each API endpiont under the Permissions sections. The on behalf of user access requires "delegated" type permissions and application access require application permissions.
If you use "on behalf of user access" (i.e. you have a user fronting the authentication or you know the username/password) and the correct permissions for the api endponts you are using then you only have access to the data that that user has access too (even if you have permissions like ".all").
If you use "application access" then normally you need higher permissions and you can normally read all user/org data. In some specific cases you can constrain application access. Email account access happens to be one. Follow the Limit Mailbox access instructions to limit a specific application id to a specific set of mailboxes.
Upvotes: 3
Reputation: 740
There is a separate Mail.Read permission for both Application and Delegated permissions. Application permissions allows the app to read mail in all mailboxes without a signed-in user where as Delegated permissions allows the app to read email in user mailboxes , check the doc for more info - https://learn.microsoft.com/en-us/graph/permissions-reference
In your case you want to check your mail only , then you need to use Delegated permissions , which doesn't required admin conesent
Hope this helps
Thanks
Upvotes: 0
Related Questions
- Microsoft Graph Outlook application permissions for a particular mailbox only
- Give mailbox permissions from graph api
- Microsoft Graph API Permissions
- MS Graph API - access shared mailbox (application permission)
- MS graph api - scope access to particular user inbox
- How to scope a specific Graph API permission to a specific user or mailbox
- Graph Api Permission to Read Email
- Microsoft Graph Access Mailboxes without Signed-In User
- Microsoft Graph Service/Daemon Access Specific Shared Mailbox
- using microsoft graph api to read mail behalf of users in the enterprise