Permissions for OAuth
Protocol |
Grant type | Minimum set of Azure Active Directory API permissions required |
---|---|---|
MS Graph |
Resource Owner Password Credentials |
Mail.ReadWrite (delegated) Mail.ReadWrite.Shared (delegated) |
Authorization Code |
Mail.ReadWrite (delegated) Mail.ReadWrite.Shared (delegated) |
|
Client Credentials |
Mail.ReadWrite (application) |
|
IMAP | Resource Owner Password Credentials | Not applicable |
Authorization Code |
Mail.ReadWrite (delegated) Mail.ReadWrite.Shared (delegated) IMAP.AccessAsUser.All (delegated) |
|
Client Credentials | Not supported by Microsoft Azure Active Directory. | |
POP3 | Resource Owner Password Credentials | Not applicable |
Authorization Code |
Mail.ReadWrite (delegated) Mail.ReadWrite.Shared (delegated) POP.AccessAsUser.All (delegated) |
|
Client Credentials | Not supported by Microsoft Azure Active Directory. | |
SMTP Outbound | Resource Owner Password Credentials | Not applicable |
Authorization Code |
SMTP.Send (delegated) |
|
Client Credentials | Not supported by Microsoft Azure Active Directory. |
In case of Authorization code grant for MS Graph, IMAP/POP3 using OAuth, and SMTP Outbound using OAuth:
- The scope "offline_access" must be passed inside the scopes parameter while requesting the authorization code.
-
Passing the scopes "openid" and "profile" inside the scopes parameter while requesting the authorization code is optional.