Graph authentication through Client Credentials flow - Will my app have access to just my user account or to the whole organization?

Question

I have a daemon script that needs to access my Office 365 inbox to read messages. Currently I am using basic authentication with V1.0 of the Outlook Rest API, which works we

Answer 1

That is correct. If you use Client Credentials, you are by definition using Application Scopes. These tokens have no "user" context and are therefore tenant-wide permissions. This is why Application Scopes always require Admin Consent before they can be used.

From the documentation:

Mail.Read (Read mail in all mailboxes)

Allows the app to read mail in all mailboxes without a signed-in user.

If this is just for your mailbox rather than something you're deploying to others, you can use the Authorization Code Grant with the offline_access scope to obtain both an access_token and refresh_token.

Once you've "seeded" your app with the token, the app can use the refresh_token to obtain a new access_token when it expires. You may occasionally need to re-seed your app/service (for example, if your password changes) but otherwise, it should work without interaction.

Answer 2

It is now possible to scope application permissions according to Microsoft Docs.

Some apps call Microsoft Graph using their own identity and not on behalf of a user. These are usually background services or daemon apps that run on a server without the presence of a signed-in user. These apps make use of OAuth 2.0 client credentials grant flow to authenticate and are configured with application permissions, which enable such apps to access all mailboxes in a organization on Exchange Online. For example, the Mail.Read application permission allows apps to read mail in all mailboxes without a signed-in user.

Administrators who want to limit the app access to a specific set of mailboxes can use the New-ApplicationAccessPolicy PowerShell cmdlet to configure access control.