Permission setup question on an app on Azure portal for graph api to call

delaynomore 6 Reputation points
2020-12-29T03:12:44.933+00:00

hi, experts, I need to achive this need.

in my company, users send email and attachments to dedicated email address.
inside email, there are some keywords to check.
a program to read inbox of the email address regularly and extract the email content and attachments.
save the useful information and attachments to database and other file storage.

after my own study, I can use graph api to achive this.
but as this is for my company, my company is using O365 , need to dedicated email address.

as i need to use appid and appsecret to call graph api from a program.
I would create an app on azure portal, and grant the graph permission to the app
when register I selected Accounts in this organizational directory only ([my company name] only - Single tenant)

https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade
is this the right place?

api permission, I selected

Microsoft Graph (3)

Mail.Read
Delegated

Read user mail

Mail.ReadBasic
Delegated

Read user basic mail

User.Read
Delegated
Sign in and read user profile

-
further, i use another admin account to create an app on azure.
with the generated appid and appsecret, it can read all emails of all accounts (other colleauges) inside the azure? i need to avoid this, how to do?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,049 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,461 Reputation points
    2020-12-30T23:05:25.327+00:00

    Hello,

    1. https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade is the right place.
    2. You only need the first 2 to gain access to messages from a given user mailbox.
    3. Any global admin will be able to read any user mailbox. For more information please take a look to Commonly used Microsoft 365 admin center roles.

    Also:
    It's recommended to use a client assertion instead of a client secret since you can have more control over the certificate private key (not include it, secure it with password, etc).

    Please let me know if you need more help. If the answer was helpful to you, please accept it and, optionally, provide feedback so that other members in the community can benefit from it.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.