What are the permissions needed for Microsoft Graph?

Permissions for Microsoft Graph

The permissions needed vary depending on whether or not you enable SSO and how you want List Expansion to be handled (Client-Side, Server-Side, or both).  Each possible configuration is outlined below:

OAUTH (SSO) login to PoliteMail

Small lists (< 1000 members) can be expanded via MAPI in Outlook Desktop.

Graph Permission

Application or Delegated

User.Read

Delegated

offline_access

Delegated

openid

Delegated

profile

Delegated

Client-Side Expansion of AAD Groups

Graph Permission

Application or Delegated

offline_access

Delegated

openid

Delegated

profile

Delegated

User.Read

Delegated

GroupMember.Read.All

Delegated

MailboxSettings.Read

Delegated

OrgContact.Read.All

Delegated

People.Read.All

Delegated

User.Read.All

Delegated

Client-side expansion of AAD Groups and Dynamic Distribution Groups (Exchange) via EWS

Graph Permission

Application or Delegated

offline_access

Delegated

openid

Delegated

profile

Delegated

User.Read

Delegated

GroupMember.Read.All

Delegated

MailboxSettings.Read

Delegated

OrgContact.Read.All

Delegated

People.Read.All

Delegated

User.Read.All

Delegated

EWS.AccessAsUser.All

Delegated

Server-Side Expansion of AAD Groups

Graph Permission

Application or Delegated

offline_access

Delegated

openid

Delegated

profile

Delegated

User.Read

Delegated

GroupMember.Read.All

Application

MailboxSettings.Read

Application

OrgContact.Read.All

Application

People.Read.All

Application

User.Read.All

Application

Server-side expansion of AAD Groups and Dynamic Distribution Groups (Exchange) via EWS

Graph Permission

Application or Delegated

offline_access

Delegated

openid

Delegated

profile

Delegated

User.Read

Delegated

GroupMember.Read.All

Application

MailboxSettings.Read

Application

OrgContact.Read.All

Application

People.Read.All

Application

User.Read.All

Application

full_access_as_app

Application

NOTE: You may notice that the description for the full_access_as_app permission says it grants "full access to all mailboxes".  It is recommended to scope the full_access_as_app permission down to a single mailbox which makes it equivalent to a “service account”, as described in this Microsoft help article.

All Features Enabled

Graph Permission

Application or Delegated

offline_access

Delegated

openid

Delegated

profile

Delegated

User.Read

Delegated

GroupMember.Read.All

Both

MailboxSettings.Read

Both

OrgContact.Read.All

Both

People.Read.All

Both

User.Read.All

Both

full_access_as_app

Application

EWS.AccessAsUser.All

Delegated