Graph permissions for Mail Read for application and restricted to one mailbox

Copper Contributor

Hey guys,

we are moving our Applications away from legacy protocolls like POP3 and IMAP. 

The Application Vendors seem to be using different approaches. Some of them had an Company App registered with MS. We needed to trust those applications once and so they got "EWS.AccessAsUser.All" Delegated Permissions assigned.

We now have another Application Vendor which wants us to do an App registration.

The application wants to connect via Graph therefore they need "Mail.Read" Permissions assigned.


This leads me to my question:
1) I dont want to grant this application Application permissions, therefore I would go for Delegated Permissions. Is it possible in that scenario to have an automated login without any manual user interaction? 

2) For the existing application which uses EWS it's, but they seem to reauthenticate the user after some months manually. (This might have been due to some MFA policy) But I'm not sure about it.

3) Should we use Application permissions for the Graph application and restrict the access ApplicationAccessPolicy? 


I know it's the job of the Application Vendors to tell us which configuration they need but they are not able to atm.


Best Regards

1 Reply
1) Only if you disable (exclude) MFA for the accounts that will be used. Alternatively the app can expose some sort of UI where you authenticate with the user, and perform MFA as needed, allowing them to capture and reuse the access/refresh token
2) See above
3) Up to you, if you want to limit access - you should. You can also use the recently introduced "native" RBAC controls for applications: