cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Graph permissions for Mail Read for application and restricted to one mailbox

Marcel Baschenegger
Copper Contributor

‎May 09 2023 06:59 AM

‎May 09 2023 06:59 AM

Graph permissions for Mail Read for application and restricted to one mailbox

Hey guys,

we are moving our Applications away from legacy protocolls like POP3 and IMAP. 

The Application Vendors seem to be using different approaches. Some of them had an Company App registered with MS. We needed to trust those applications once and so they got "EWS.AccessAsUser.All" Delegated Permissions assigned.

We now have another Application Vendor which wants us to do an App registration.

The application wants to connect via Graph therefore they need "Mail.Read" Permissions assigned.

 

This leads me to my question:
1) I dont want to grant this application Application permissions, therefore I would go for Delegated Permissions. Is it possible in that scenario to have an automated login without any manual user interaction? 

2) For the existing application which uses EWS it's, but they seem to reauthenticate the user after some months manually. (This might have been due to some MFA policy) But I'm not sure about it.

3) Should we use Application permissions for the Graph application and restrict the access ApplicationAccessPolicy? 

 

I know it's the job of the Application Vendors to tell us which configuration they need but they are not able to atm.

 

Best Regards

308 Views
0 Likes
1 Reply
Reply
1 Reply
Vasil Michev

‎May 09 2023 08:15 AM

‎May 09 2023 08:15 AM

Re: Graph permissions for Mail Read for application and restricted to one mailbox

1) Only if you disable (exclude) MFA for the accounts that will be used. Alternatively the app can expose some sort of UI where you authenticate with the user, and perform MFA as needed, allowing them to capture and reuse the access/refresh token
2) See above
3) Up to you, if you want to limit access - you should. You can also use the recently introduced "native" RBAC controls for applications: https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-public-preview-of-role-based-ac...
0 Likes
Reply