I have followed the Client Credential Flow to get a client access token. This token is tied to an application with Mail.ReadWrite permission. According to Microsofts Permission reference here I should not need a user to get all Mail boxes. I do not see a single endpoint that allows me to pull mailboxes without an associated User. How do I get a list of mailboxes my application has access too without querying for users? The code I have written is in C# and uses MSAL.NET and ms-graph API, although I have tried using the rest API by sending the raw commands outside of the API.
1
votes
3 Answers
0
votes
you do have the correct permission as mail.readwrite graph api permission does give you permission to read all mailboxes. Mailboxes are tied to either users or groups. so you would need to list either all users or all groups. but that doesn't guarantee that the mailbox exists either. you could do a graph call to the beta endpoint which includes licenses, and filter by assignedplans that include exchange. To me that would be the most elegant solution. unless someone has a better idea. i know you can list all users then make a second call to check if mailboxsettings or calendar exists, but i find that less elegant..
Either way you would have to query for users or groups, because there is no such thing as a mailbox without a user or an o365 group.
0
votes
The Microsoft Graph API supports accessing data in users' primary and shared mailboxes but does not list all mailboxes for a given user or users, that can be done using Exchange Powershell.
That being said you can, per user, do things like:
GET /me/messages
GET /users/{id | userPrincipalName}/messages
GET /me/mailFolders
GET /users/{id | userPrincipalName}/mailFolders
And others as the ones included in Common use cases.
Finally try to use the least privileged permission. Mail.ReadWrite is highly privileged.
0
votes
You cannot do this would having a User id or userPrincipalName. The pattern for accessing a given mailbox is https://graph.microsoft.com/v1.0/users/{id|upn}/messages. Without knowing which user you want to address, Graph cannot route your calls to the correct mailbox.
Regardless of which permissions your app needs, if you're accessing User data, you should request User.Read.All as well. Just about every call that interacts with User data will require a User id or userPrincipalName as part of that call.
Keep in mind that Exchange data can be associated with both Users and Groups so you may also need to request Group.Read.All as well.
