cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Delegated Permission option for Mail.ReadBasic.All

Jeremy Bradshaw
Steel Contributor

‎Apr 11 2022 05:16 AM

‎Apr 11 2022 05:16 AM

Delegated Permission option for Mail.ReadBasic.All

I'm hoping to get some help with understanding why a permission like Mail.ReadBasic.All is not made available as a Delegated Permission.  The use case in my head is that of administrators.  For example, an Exchange Admin would like to review the contents of a user's mailbox.  This could be the message headers on a certain message, or it could be all messages for a task like summarizing the mailbox's consumption by year.  The only options for the administrator currently are:

 

A) Delegated permission Mail.Read.Shared + FullAccess granted from the necessary mailbox.

B) Application Permission Mail.ReadBasic.All, and the administrator pretends he/she is an application, and auditing fidelity is lost.

 

Both options seem inferior to the hypothetical option C:

 

C) Delegated permission Mail.ReadBasic.All

 

Is the reason simply the design of OAuth2 from the ground up is so that Delegated permissions are limited to true self-service?  If that is the case, then maybe option B really isn't all that bad from a security standpoint, just the lost auditing accuracy is still an issue.

 

Please help me understand this.  I am used to taking advantage of application permissions for my unattended scripting needs.  But as I move over to MS Graph for my interactive (administrator) needs, I find this gap strange.

 

Thanks in advance.

907 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by Jeremy Bradshaw (Steel Contributor)
Jeremy Bradshaw

‎Apr 20 2022 08:02 AM - edited ‎Apr 20 2022 08:04 AM

‎Apr 20 2022 08:02 AM - edited ‎Apr 20 2022 08:04 AM

Solution

Re: Delegated Permission option for Mail.ReadBasic.All

I believe I may have come up with the reason why it was chosen to NOT offer Mail.ReadBasic.All as a Delegated Permission. It may not be possible to supply the requesting user with the equivalent permission via RBAC role. The closest thing I can think of that would accomplish it would be the ApplicationImpersonation role in Exchange, which would be more permissions than we want in this scenario (re: Mail.ReadBasic.All).

It makes me think that however the Effective Permissions are made possible for Application Permissions, that same capability could stand to be available for some special case Delegated Permissions (like Mail.ReadBasic.All).

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Jeremy Bradshaw (Steel Contributor)
Jeremy Bradshaw

‎Apr 20 2022 08:02 AM - edited ‎Apr 20 2022 08:04 AM

‎Apr 20 2022 08:02 AM - edited ‎Apr 20 2022 08:04 AM

Solution

Re: Delegated Permission option for Mail.ReadBasic.All

I believe I may have come up with the reason why it was chosen to NOT offer Mail.ReadBasic.All as a Delegated Permission. It may not be possible to supply the requesting user with the equivalent permission via RBAC role. The closest thing I can think of that would accomplish it would be the ApplicationImpersonation role in Exchange, which would be more permissions than we want in this scenario (re: Mail.ReadBasic.All).

It makes me think that however the Effective Permissions are made possible for Application Permissions, that same capability could stand to be available for some special case Delegated Permissions (like Mail.ReadBasic.All).

View solution in original post

0 Likes
Reply