Permissions for OAuth
Protocol |
Grant type | Minimum set of Microsoft Entra ID API permissions required |
---|---|---|
MS Graph |
Resource Owner Password Credentials |
Mail.ReadWrite (delegated) Mail.ReadWrite.Shared (delegated) |
Authorization Code |
Mail.ReadWrite (delegated) Mail.ReadWrite.Shared (delegated) |
|
Client Credentials |
Mail.ReadWrite (application) |
|
IMAP | Resource Owner Password Credentials | Not applicable |
Authorization Code |
Mail.ReadWrite (delegated) Mail.ReadWrite.Shared (delegated) IMAP.AccessAsUser.All (delegated) |
|
Client Credentials | https://outlook.office365.com/.default | |
POP3 | Resource Owner Password Credentials | Not applicable |
Authorization Code |
Mail.ReadWrite (delegated) Mail.ReadWrite.Shared (delegated) POP.AccessAsUser.All (delegated) |
|
Client Credentials | https://outlook.office365.com/.default | |
SMTP Outbound | Resource Owner Password Credentials | Not applicable |
Authorization Code |
SMTP.Send (delegated) |
|
Client Credentials | https://outlook.office365.com/.default | |
RPMSG | Resource Owner Password Credentials | Not applicable |
Authorization Code |
https://aadrm.com/.default offline_access |
|
Client Credentials | https://aadrm.com/.default |
In case of Authorization code grant for MS Graph, IMAP, POP3, and SMTP Outbound:
-
The scope offline_access must be passed inside the scopes parameter while requesting for the authorization code.
-
Passing the scopes openid and profile inside the scopes parameter while requesting for the authorization code is optional.