we are moving our Applications away from legacy protocolls like POP3 and IMAP.
The Application Vendors seem to be using different approaches. Some of them had an Company App registered with MS. We needed to trust those applications once and so they got "EWS.AccessAsUser.All" Delegated Permissions assigned.
We now have another Application Vendor which wants us to do an App registration.
The application wants to connect via Graph therefore they need "Mail.Read" Permissions assigned.
This leads me to my question: 1) I dont want to grant this application Application permissions, therefore I would go for Delegated Permissions. Is it possible in that scenario to have an automated login without any manual user interaction?
2) For the existing application which uses EWS it's, but they seem to reauthenticate the user after some months manually. (This might have been due to some MFA policy) But I'm not sure about it.
3) Should we use Application permissions for the Graph application and restrict the access ApplicationAccessPolicy?
I know it's the job of the Application Vendors to tell us which configuration they need but they are not able to atm.