microsoft-graph-apiazure-logic-appsazure-authenticationazure-app-registration

LogicApps: MSGraph API Read Shared Mailbox Only


My goal is to use the msgraph api via logic apps to query a shared mailbox and return the result for a keyword in the subject line.

enter image description here

Above is what i currently have written.

I would like to know if this query is correct.

What is the least privileged role i can give to an auth app registration or managed identity to achieve this task. ideally i dont want to give this app reg / identity permission to read anything other than the mailbox specified.

verify query:

https://graph.microsoft.com/v1.0/users/@{items('For_each_5')}/messages?$filter=from/emailAddress/address eq 'sharedmailbox@example.com.au' and toRecipients/any(r:r/emailAddress/address eq '@{items('For_each_5')}') and contains(subject, 'keyword')&$select=subject,from,toRecipients,receivedDateTime,bodyPreview

Solution

  • I think that toRecipients is not supported when using $filter. I would prefer to use $search. The query will be more readable

    https://graph.microsoft.com/v1.0/users/@{items('For_each_5')}/messages?$search="from:sharedmailbox@example.com.au and to:@{items('For_each_5')} and subject:keyword"&$select=subject,from,toRecipients,receivedDateTime,bodyPreview
    

    The managed identity needs Mail.Read application permission, but you can limit access to specific mailboxes.

    https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access?view=graph-rest-1.0