Where can I find the needed permissions for various list handling methods?

The table below lists all permissions and whether they are Delegated (D) or Application (A) type.

  • The Minimum Required column is needed to support OAUTH (SSO) login to PoliteMail.  Small lists (less than 1000 members) can be expanded via MAPI in Outlook Desktop.
  • Other configurations shown show both client-side and server-side permissions for Entra ID group expansion, Entra ID and Dynamic Distribution Group expansion in Exchange via EWS, and with all features enabled.
  • With all features enabled, note that some permissions require both Application and Delegated types.  Generally speaking, they map to the client (delegated) or server (application) expansion options.
PermissionMinimum RequiredAzure Entra ID (Entra ID) Group ExpansionEntra ID & Exchange Dynamic Distribution Group Expansion via EWSAll Features Enabled


Client-SideServer-SideClient-SideServer-Side
offline_accessDDDDDD
openidDDDDDD
profileDDDDDD
User.ReadDDDDDD
GroupMember.Read.All
DADAA, D
MailboxSettings.Read
DADAA, D
OrgContact.Read.All
DADAA, D
People.Read.All
DADAA, D
User.Read.All
DADAA, D
EWS.AccessAsUser.All


D
D
full_access_as_app



AA