Permissions for Microsoft Graph
The permissions needed vary depending on whether or not you enable SSO and how you want List Expansion to be handled (Client-Side, Server-Side, or both). Each possible configuration is outlined below. You can skip to the PoliteMail default configuration, Server-Side Expansion, by clicking here.
OAUTH (SSO) login to PoliteMail
Small lists (< 1000 members) can be expanded via MAPI in Outlook Desktop.
Graph Permission | Application or Delegated |
User.Read | Delegated |
offline_access | Delegated |
openid | Delegated |
profile | Delegated |
Client-Side Expansion of Entra ID Groups
Client (delegated) expansion is not currently supported from PoliteMail Online or PoliteMail for Microsoft 365.
Graph Permission | Application or Delegated |
offline_access | Delegated |
openid | Delegated |
profile | Delegated |
User.Read | Delegated |
GroupMember.Read.All | Delegated |
MailboxSettings.Read | Delegated |
OrgContact.Read.All | Delegated |
People.Read.All | Delegated |
User.Read.All | Delegated |
Client-side expansion of Entra ID Groups and Dynamic Distribution Groups (Exchange) via EWS
Graph Permission | Application or Delegated |
offline_access | Delegated |
openid | Delegated |
profile | Delegated |
User.Read | Delegated |
GroupMember.Read.All | Delegated |
MailboxSettings.Read | Delegated |
OrgContact.Read.All | Delegated |
People.Read.All | Delegated |
User.Read.All | Delegated |
EWS.AccessAsUser.All | Delegated |
Server-Side Expansion of Entra ID Groups
This is the default PoliteMail SaaS configuration requirement for M365 integration, and the most often requested.
Graph Permission | Application or Delegated |
offline_access | Delegated |
openid | Delegated |
profile | Delegated |
User.Read | Delegated |
GroupMember.Read.All | Application |
MailboxSettings.Read | Application |
OrgContact.Read.All | Application |
People.Read.All | Application |
User.Read.All | Application |
To restrict read.all and limit permissions to a specific mailbox, e.g. a service account, implement an Application Access Policy (Application Scopes) as described in this Microsoft article.
Server-side expansion of Entra ID Groups and Dynamic Distribution Groups (Exchange) via EWS
Graph Permission | Application or Delegated |
offline_access | Delegated |
openid | Delegated |
profile | Delegated |
User.Read | Delegated |
GroupMember.Read.All | Application |
MailboxSettings.Read | Application |
OrgContact.Read.All | Application |
People.Read.All | Application |
User.Read.All | Application |
full_access_as_app (Single Mailbox Application Scope) | Application |
All Features Enabled
Graph Permission | Application or Delegated |
offline_access | Delegated |
openid | Delegated |
profile | Delegated |
User.Read | Delegated |
GroupMember.Read.All | Both |
MailboxSettings.Read | Both |
OrgContact.Read.All | Both |
People.Read.All | Both |
User.Read.All | Both |
full_access_as_app (Single Mailbox Application Scope) | Application |
EWS.AccessAsUser.All | Delegated |
