Permissions for Microsoft Graph
The permissions needed vary depending on whether or not you enable SSO and how you want List Expansion to be handled (Client-Side, Server-Side, or both). Each possible configuration is outlined below. You can skip to the PoliteMail default configuration, Server-Side Expansion, by clicking here.
OAUTH (SSO) login to PoliteMail
Small lists (< 1000 members) can be expanded via MAPI in Outlook Desktop.
Graph Permission |
Application or Delegated |
User.Read |
Delegated |
offline_access |
Delegated |
openid |
Delegated |
profile |
Delegated |
Client-Side Expansion of Entra ID Groups
Client (delegated) expansion is not currently supported from PoliteMail Online or PoliteMail for Microsoft 365.
Graph Permission |
Application or Delegated |
offline_access |
Delegated |
openid |
Delegated |
profile |
Delegated |
User.Read |
Delegated |
GroupMember.Read.All |
Delegated |
MailboxSettings.Read |
Delegated |
OrgContact.Read.All |
Delegated |
People.Read.All |
Delegated |
User.Read.All |
Delegated |
Client-side expansion of Entra ID Groups and Dynamic Distribution Groups (Exchange) via EWS
Graph Permission |
Application or Delegated |
offline_access |
Delegated |
openid |
Delegated |
profile |
Delegated |
User.Read |
Delegated |
GroupMember.Read.All |
Delegated |
MailboxSettings.Read |
Delegated |
OrgContact.Read.All |
Delegated |
People.Read.All |
Delegated |
User.Read.All |
Delegated |
EWS.AccessAsUser.All |
Delegated |
Server-Side Expansion of Entra ID Groups
This is the default PoliteMail SaaS configuration requirement for M365 integration, and the most often requested.
Graph Permission |
Application or Delegated |
offline_access |
Delegated |
openid |
Delegated |
profile |
Delegated |
User.Read |
Delegated |
GroupMember.Read.All |
Application |
MailboxSettings.Read |
Application |
OrgContact.Read.All |
Application |
People.Read.All |
Application |
User.Read.All |
Application |
There is no scenario where PoliteMail needs access to all mailboxes; to restrict read.all and limit permissions to a specific mailbox, e.g. a service account, implement an Application Access Policy (Application Scopes) as described in this Microsoft article.
Server-side expansion of Entra ID Groups and Dynamic Distribution Groups (Exchange) via EWS
Graph Permission |
Application or Delegated |
offline_access |
Delegated |
openid |
Delegated |
profile |
Delegated |
User.Read |
Delegated |
GroupMember.Read.All |
Application |
MailboxSettings.Read |
Application |
OrgContact.Read.All |
Application |
People.Read.All |
Application |
User.Read.All |
Application |
full_access_as_app (Single Mailbox Application Scope) |
Application |
All Features Enabled
Graph Permission |
Application or Delegated |
offline_access |
Delegated |
openid |
Delegated |
profile |
Delegated |
User.Read |
Delegated |
GroupMember.Read.All |
Both |
MailboxSettings.Read |
Both |
OrgContact.Read.All |
Both |
People.Read.All |
Both |
User.Read.All |
Both |
M365 Exchange Online Permission | Application or Delegated |
full_access_as_app (Single Mailbox Application Scope)
|
Application |
EWS.AccessAsUser.All |
Delegated |