Permissions for OAuth
|
Protocol |
Grant type | Minimum set of Microsoft Entra ID API permissions required |
|---|---|---|
|
MS Graph |
Resource Owner Password Credentials |
Mail.ReadWrite (delegated) Mail.ReadWrite.Shared (delegated) |
| Authorization Code |
Mail.ReadWrite (delegated) Mail.ReadWrite.Shared (delegated) |
|
| Client Credentials |
Mail.ReadWrite (application) |
|
| IMAP | Resource Owner Password Credentials | Not applicable |
| Authorization Code |
Mail.ReadWrite (delegated) Mail.ReadWrite.Shared (delegated) IMAP.AccessAsUser.All (delegated) |
|
| Client Credentials | https://outlook.office365.com/.default | |
| POP3 | Resource Owner Password Credentials | Not applicable |
| Authorization Code |
Mail.ReadWrite (delegated) Mail.ReadWrite.Shared (delegated) POP.AccessAsUser.All (delegated) |
|
| Client Credentials | https://outlook.office365.com/.default | |
| SMTP Outbound | Resource Owner Password Credentials | Not applicable |
| Authorization Code |
SMTP.Send (delegated) |
|
| Client Credentials | https://outlook.office365.com/.default | |
| RPMSG | Resource Owner Password Credentials | Not applicable |
| Authorization Code |
https://aadrm.com/.default offline_access |
|
| Client Credentials | https://aadrm.com/.default |
In case of Authorization code grant for MS Graph, IMAP, POP3, and SMTP Outbound:
-
The scope offline_access must be passed inside the scopes parameter while requesting for the authorization code.
-
Passing the scopes openid and profile inside the scopes parameter while requesting for the authorization code is optional.