0

We have an app that calls the following microsoft webservices:

  • GetRoomLists
  • GetUserAvailabilityRequest
  • GetRooms
  • FreeBusyResponse
  • GetUserAvailabilityResponse

The app can send outlook calendar invites to users, read user responses and availabilities, delete invites etc. Wondering if we need all the following Azure permissions (delegated permissions under Microsoft Exchange API). Which ones can we uncheck and the APP will still work properly? Thank you ,

  • Access mailboxes as the signed-in user via Exchange Web Services
  • Read all users' full profile (not checked, but "requires adimin" is marked yes)
  • Read user and shared calendars
  • Read and write user and shared calendars
  • Read and write user and shared mail
  • Read user and shared mail
  • Read user and shared contacts
  • Read and write user and shared contacts
Sharon Yang
  • 1
  • 1

1 Answers1

0

EWS applications must be registered with Azure Active Directory, and require the "Access mailboxes as the signed-in user via Exchange Web Services" permission of "Office 365 Exchange Online (Microsoft.Exchange)". https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth

EWS only supports one grant which is full access to the Mailbox eg "Access mailboxes as the signed-in user via Exchange Web Services", all the other ones you reference are for the Graph and REST API's that support a more constrained permissions model. EWS at this point is more legacy so it requires full access.

Glen Scales
  • 20,495
  • 1
  • 20
  • 23
  • Thank you so much! Is there any documentation explaining what the "full access " entails? Does it cover every other permission under the "delegated permission" section in Azure? Does it change based on user's configuration ? (for example whether they can see other user's calendar etc). Thank you! – Sharon Yang Mar 04 '19 at 22:36
  • No it has nothing to do with any other Azure grant. Full Access mean full access to the Mailbox (Only) the same permission you would get if you access the Mailbox using Basic Authentication. All the underlying Exchange ACL's still take affect however so the rights you get the share mailboxes are governed by this no by the Azure Grant (unless you using app only token). – Glen Scales Mar 04 '19 at 23:15
  • Thank you! If selecting this permission, when user sign in, they see two permissions being requested on the Microsoft page: "Sign you in and read your profile" and "Access your mailbox" . If uncheck the "Access mailboxes" permission in Azure, and select some other permission. The "Sign you in and read your profile" permission still show up on the microsoft page. Do you know why it always shows up? And do you know if there is any MS documentation explaining what "Access your mailbox" would entail? We need to explain that to customers. Thank you very much! – Sharon Yang Mar 05 '19 at 17:45