We are implementing a significant update in our service affecting applications that modify sensitive properties on non-draft email messages. These sensitive properties include the subject, body, recipients, and a number of other properties when changed using any of the message update methods on Graph API.
Immutability of Received Email Messages
There is a fundamental expectation that once an email message has been received, it should remain unchanged except for specific management-related properties such as read status, flags, and similar attributes. Critical components like the address list, subject, and body text should not be altered unless a new draft message is created. Exceptions to this rule are specialized use-cases, particularly within the security domain, such as identifying suspicious emails and other privileged operations.
Required Permissions for Modifying Sensitive Properties
To maintain the expected immutability of email messages during standard management operations, we will begin restricting applications from modifying sensitive message properties in non-draft messages unless they possess elevated permissions. Specifically, applications must have one of the following permissions: Mail-Advanced.ReadWrite, Mail-Advanced.ReadWrite.All, or Mail-Advanced.ReadWrite.Shared, depending on the scenario. All these permissions require a tenant administrator consent.
The documentation page identifies sensitive properties as those that are only updateable if isDraft = true. Once the restriction goes into effect, these properties can only be updated in non-draft messages if the application has Mail-Advanced.ReadWrite permissions. Draft messages will continue to be updateable with the current Mail.ReadWrite permissions.
Timeline and Recommendations
These required permissions are already available. Enforcement of the new restrictions in our service – blocking Graph API updates to sensitive email properties – will begin on 12/31/2026. If you develop Graph API applications that modify these properties, we strongly recommend updating your applications to request the necessary higher-level permissions as soon as possible. This proactive approach will help ensure a smooth transition and minimize potential disruptions for your customers.
The Exchange Team
