What are the permissions needed for Microsoft Graph?

Permissions for Microsoft Graph

The permissions needed vary depending on whether or not you enable SSO and how you want List Expansion to be handled (Client-Side, Server-Side, or both).  Each possible configuration is outlined below.  You can skip to the PoliteMail default configuration, Server-Side Expansion, by clicking here.

OAUTH (SSO) login to PoliteMail

Small lists (< 1000 members) can be expanded via MAPI in Outlook Desktop.

Graph Permission

Application or Delegated

User.Read

Delegated

offline_access

Delegated

openid

Delegated

profile

Delegated

Client-Side Expansion of Entra ID Groups

Client (delegated) expansion is not currently supported from PoliteMail Online or PoliteMail for Microsoft 365.

Graph Permission

Application or Delegated

offline_access

Delegated

openid

Delegated

profile

Delegated

User.Read

Delegated

GroupMember.Read.All

Delegated

MailboxSettings.Read

Delegated

OrgContact.Read.All

Delegated

People.Read.All

Delegated

User.Read.All

Delegated

Client-side expansion of Entra ID Groups and Dynamic Distribution Groups (Exchange) via EWS

Graph Permission

Application or Delegated

offline_access

Delegated

openid

Delegated

profile

Delegated

User.Read

Delegated

GroupMember.Read.All

Delegated

MailboxSettings.Read

Delegated

OrgContact.Read.All

Delegated

People.Read.All

Delegated

User.Read.All

Delegated

EWS.AccessAsUser.All

Delegated

Server-Side Expansion of Entra ID Groups

This is the default PoliteMail SaaS configuration requirement for M365 integration, and the most often requested.

Graph Permission

Application or Delegated

offline_access

Delegated

openid

Delegated

profile

Delegated

User.Read

Delegated

GroupMember.Read.All

Application

MailboxSettings.Read

Application

OrgContact.Read.All

Application

People.Read.All

Application

User.Read.All

Application


There is no scenario where PoliteMail needs access to all mailboxes; to restrict read.all and limit permissions to a specific mailbox, e.g. a service account, implement an Application Access Policy (Application Scopes) as described in this Microsoft article.

Server-side expansion of Entra ID Groups and Dynamic Distribution Groups (Exchange) via EWS

Graph Permission

Application or Delegated

offline_access

Delegated

openid

Delegated

profile

Delegated

User.Read

Delegated

GroupMember.Read.All

Application

MailboxSettings.Read

Application

OrgContact.Read.All

Application

People.Read.All

Application

User.Read.All

Application

full_access_as_app (Single Mailbox Application Scope)

Application

All Features Enabled

Graph Permission

Application or Delegated

offline_access

Delegated

openid

Delegated

profile

Delegated

User.Read

Delegated

GroupMember.Read.All

Both

MailboxSettings.Read

Both

OrgContact.Read.All

Both

People.Read.All

Both

User.Read.All

Both

M365 Exchange Online Permission Application or Delegated
full_access_as_app (Single Mailbox Application Scope)

Application

EWS.AccessAsUser.All

Delegated