Graph authentication through Client Credentials flow - Will my app have access to just my user account or to the whole organization?

Question

I have a daemon script that needs to access my Office 365 inbox to read messages. Currently I am using basic authentication with V1.0 of the Outlook Rest API, which works we

Answer 1

It is now possible to scope application permissions according to Microsoft Docs.

Some apps call Microsoft Graph using their own identity and not on behalf of a user. These are usually background services or daemon apps that run on a server without the presence of a signed-in user. These apps make use of OAuth 2.0 client credentials grant flow to authenticate and are configured with application permissions, which enable such apps to access all mailboxes in a organization on Exchange Online. For example, the Mail.Read application permission allows apps to read mail in all mailboxes without a signed-in user.

Administrators who want to limit the app access to a specific set of mailboxes can use the New-ApplicationAccessPolicy PowerShell cmdlet to configure access control.