0

I have a windows service app which needs to authenticate with Azure AD for multiple service accounts...each instance will have a different service account. (say I have 3 instances on 3 different servers with 3 different service accounts - S1, S2, S3). This service reads from a shared email address (each instance has it's own shared email E1 for S1, E2 for S2 and E3 for S3) using Microsoft Graph API.

What kind of permissions or setup do I need in Azure App Registration in order for S1 to read E1 (and not be able to read others), S2 for E2 and S3 for E3 only.

I am thinking to register the App in a Single Tenant and adding 3 owners S1, S2, S3. So the service account authenticates silently using user\pass and reads from the shared email. Scope should be set to Mail.Read.Shared.

An admin user will consent for the needed permissions...since there is no UI for it.

Is this the correct setup?

val f
  • 5
  • 5

1 Answers1

0

From a design perspective, your idea is correct.

In addition to Mail.Read.Shared, you may also need basic delegation permissions Mail.ReadBasic and Mail.Read to read emails.

Because you want S1 to read E1 (and not be able to read others), you should implement Get access on behalf of a user. Thus S1 could only access its own shared email.

Of course password flow should be also suitable for this scenario.

Allen Wu
  • 15,529
  • 1
  • 9
  • 20