MicrosoftGraph user impersonation for accessing mail messages

2.1k views Asked by At

I want to get all user's email messages. I'm using code flow authentication and I'm developing a multi-tenant application with delegated permissions. I think the token flow authentication (for daemon or single-tenant) is not suitable for me.

https://graph.microsoft.com/v1.0/me/messages

The above API returns only the authenticated user's messages. Is there a way to sign in users (Impersonation) using Graph API? Please provide a solution for this issue.

2

There are 2 answers

1
Yina - MSFT On BEST ANSWER

To get messages for all users in the organization you can use either a delegated flow or a client credential flow.

With the delegated flow you request access for all users in the organization using the admin consent endpoint, and administrator consents to the app on-behalf of all the users in the organization and when the users interact with the app they get no consent UI and the app can get an access token for the user that has delegated permissions to the app and the resource it requested. Here is the article that describes how to do it: https://learn.microsoft.com/en-us/azure/active-directory/active-directory-v2-scopes#admin-restricted-scopes

The second option is more suitable if you are building a non-interactive application, like a service daemon, in this case you use can access the data only with the identity of the application. Here is the article that describes how to do the client credentials flow: https://learn.microsoft.com/en-us/azure/active-directory/active-directory-v2-protocols-oauth-client-creds

With either approach to access mailboxes you request the Mail.Read permission and then make the request to the https://graph.microsoft.com/v1.0/users(userId|UPN)/messages endpoint.

2
Yogesh On

If you have delegate permissions then you can do https://graph.microsoft.com/v1.0/Ueers('[email protected]')/messages to get messages of the delegate/impersonated user.