Microsoft Graph Application permissions end up as delegated permissions when granted
I have an application in azure that I wish to send emails as a specific user.
- I'm using the
Mail.Send+offline_accessdefined as anApplicationpermission. - I grant the permission from a user perspective with administrator right for the entire organization
- Using the access token - from the user I'm able to send an email as that user which is logical.
- When trying to send as another user I'm getting "Forbidden"
Looking at microsoft entra admin center for that application, the permission shows up as a "delegated" permission.
Does anyone have an idea if the access token generated from the user perspective is the one you should use for "Application" permissions or is there a different flow to get a separate access token for daemon services.
Kind regards Jens
You have mixed up Application and Delegated permission here. Having Mail.Send as an Application permission means you don't need the delegated permission. Scope is missing in the token because you don't have /.default scope.
If you decided to use delegated permissions, your app will be using an OAuth 2 flow like Auth Code flow for example and offline access + other delegated permissions will work here.
If you decide to use application permissions with say Client Credentials flow, offline_access is not applicable and only application permissions will apply.
In your case you need to just use application permissions and add the scope /.default with client credentials flow or while doing interactive login, you will then get an access token with Mail.Send in the roles scope. My advice is to choose which one fits your scenario and use just application or delegated permissions.
- Loop through rows in Excel to pick information to send Outlook emails runs into error on the second row
- Failed to launch outlook on Power Automate
- how to import OST files into Outlook for Microsoft365
- VBA: initializing a string array
- Create email if file for attachment exists
- Clicking on a link doesn't work, but copy-paste the link in browser works
- Connecting to OUTLOOK365 from Selenium Java
- Automatically open a task pane in Outlook web add-in if a user is starting to read a flagged email
- Using MSAL.js in Outlook Add-in with Office.js authentication
- Python - send meeting but do not show in my callendar
- Open received email via ms-outlook://emails/ URI Scheme
- Power apps - Send email with attachment error
- What's the best library for reading Outlook .msg files in Java?
- Outlook (.ics) TimeStamp ISO 8601 misinterpretation
- Identifying DSN (Delivery Status Notifications) or NDR (Non Delivery Reports) and the failed recipients in Microsoft Graph / Outlook REST API
- [Powershell/MS Outlook]: Add folder to Favorites in Navigation Pane
- Outlook inconsistency with execution - Python
- Is it possible to create custom page like Mails, Calendar or People in Outlook Add-in?
- Creating a ribbon button to open a browser link
- How can I send Excel range including header, in table, and email to list?
- Outlook read calender working on Windows Business 11, but not windows 10
- Monitoring all sent items folders in add in
- Trying to send screenshot of excel in an email
- How to apply ItemAdd event to a subfolder
- Expected response code 250 but got code "", with message ""
- Correct syntax to extract email address in 'autodiscover.php'
- Find out if an attachment is embedded or attached
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Word file from SharePoint corrupted when sent via Outlook
- Sub Application_Quit() clears the value of defined variable