Permissions for Microsoft Graph
The permissions needed vary depending on whether or not you enable SSO and how you want List Expansion to be handled (Client-Side, Server-Side, or both). Each possible configuration is outlined below:
OAUTH (SSO) login to PoliteMail
Small lists (< 1000 members) can be expanded via MAPI in Outlook Desktop.
Graph Permission | Application or Delegated |
User.Read | Delegated |
offline_access | Delegated |
openid | Delegated |
profile | Delegated |
Client-Side Expansion of AAD Groups
Graph Permission | Application or Delegated |
offline_access | Delegated |
openid | Delegated |
profile | Delegated |
User.Read | Delegated |
GroupMember.Read.All | Delegated |
MailboxSettings.Read | Delegated |
OrgContact.Read.All | Delegated |
People.Read.All | Delegated |
User.Read.All | Delegated |
Client-side expansion of AAD Groups and Dynamic Distribution Groups (Exchange) via EWS
Graph Permission | Application or Delegated |
offline_access | Delegated |
openid | Delegated |
profile | Delegated |
User.Read | Delegated |
GroupMember.Read.All | Delegated |
MailboxSettings.Read | Delegated |
OrgContact.Read.All | Delegated |
People.Read.All | Delegated |
User.Read.All | Delegated |
EWS.AccessAsUser.All | Delegated |
Server-Side Expansion of AAD Groups
Graph Permission | Application or Delegated |
offline_access | Delegated |
openid | Delegated |
profile | Delegated |
User.Read | Delegated |
GroupMember.Read.All | Application |
MailboxSettings.Read | Application |
OrgContact.Read.All | Application |
People.Read.All | Application |
User.Read.All | Application |
Server-side expansion of AAD Groups and Dynamic Distribution Groups (Exchange) via EWS
Graph Permission | Application or Delegated |
offline_access | Delegated |
openid | Delegated |
profile | Delegated |
User.Read | Delegated |
GroupMember.Read.All | Application |
MailboxSettings.Read | Application |
OrgContact.Read.All | Application |
People.Read.All | Application |
User.Read.All | Application |
full_access_as_app | Application |
NOTE: You may notice that the description for the full_access_as_app permission says it grants "full access to all mailboxes". It is recommended to scope the full_access_as_app permission down to a single mailbox which makes it equivalent to a “service account”, as described in this Microsoft help article.
All Features Enabled
Graph Permission | Application or Delegated |
offline_access | Delegated |
openid | Delegated |
profile | Delegated |
User.Read | Delegated |
GroupMember.Read.All | Both |
MailboxSettings.Read | Both |
OrgContact.Read.All | Both |
People.Read.All | Both |
User.Read.All | Both |
full_access_as_app | Application |
EWS.AccessAsUser.All | Delegated |
