The table below lists all permissions and whether they are Delegated (D) or Application (A) type.
- The Minimum Required column is needed to support OAUTH (SSO) login to PoliteMail. Small lists (less than 1000 members) can be expanded via MAPI in Outlook Desktop.
- Other configurations shown show both client-side and server-side permissions for Entra ID group expansion, Entra ID and Dynamic Distribution Group expansion in Exchange via EWS, and with all features enabled.
- With all features enabled, note that some permissions require both Application and Delegated types. Generally speaking, they map to the client (delegated) or server (application) expansion options.
| Permission | Minimum Required | Azure Entra ID (Entra ID) Group Expansion | Entra ID & Exchange Dynamic Distribution Group Expansion via EWS | All Features Enabled | ||
|---|---|---|---|---|---|---|
| Client-Side | Server-Side | Client-Side | Server-Side | |||
| offline_access | D | D | D | D | D | D |
| openid | D | D | D | D | D | D |
| profile | D | D | D | D | D | D |
| User.Read | D | D | D | D | D | D |
| GroupMember.Read.All | D | A | D | A | A, D | |
| MailboxSettings.Read | D | A | D | A | A, D | |
| OrgContact.Read.All | D | A | D | A | A, D | |
| People.Read.All | D | A | D | A | A, D | |
| User.Read.All | D | A | D | A | A, D | |
| EWS.AccessAsUser.All | D | D | ||||
| full_access_as_app* | A | A | ||||
* PoliteMail uses the full_access_as_app permission to interact with EWS for user not present scenarios like messages that are scheduled for delivery of hours or weeks in the future. To ensure secure and appropriate usage, we recommend that it be scoped to a single mailbox using an Application Access Policy which makes the permission much more akin to a service account.
