Share via

Permissions to access shared mailbox to read and send emails

jgauffin 0 Reputation points
2025-01-19T22:09:30.6266667+00:00

I'm building an service which will read emails from a shared mailbox and then reply to those emails. It will run in a service, so I'm using app permissions instead of delegated permissions.

It's a multitenant application so I've created an app in our organization and configured it for "Multiple organisations". I've set so it requests "Mail.Read.Shared" and "Mail.Send.Shared" (app privileges).

I've done so that I redirect to $"https://login.microsoftonline.com/{tenant}/adminconsent?client_id={_microsoftSettings.ClientId}&state=12345&redirect_uri=MY__URI__REMOVED"; Which works and I get success back.

I've configured the GraphClientService using clientId/secret and tried both with my correct tenantId and "common" as tenantId.

But no matter how I try, I can neither send nor read emails from the shared mailbox. Can you please provide a guide how to do that?

I would also like to be able to list all shared mailboxes and let my customer select the correct one instead of having them type it. But AFAIK it's not possible to list shared mailboxes?

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,767 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,928 questions
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
11,264 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Yakun Huang-MSFT 9,780 Reputation points Microsoft Vendor
    2025-01-20T02:47:00.47+00:00

    Hello jgauffin,

    Thank you for reaching out to Microsoft Support!

    According to the documentation, "Mail.Read.Shared" and "Mail.Send.Shared" are delegated permissions, not application permissions.

    User's image

    You can use application permissions to send or read messages from a shared mailbox, but not just the shared mailbox, but the mailbox of all users in that tenant.

    You can use the application permission to get the Mail in the shared mailbox, you need to add the permission is Mail.Read, the request path is as follows:

    GET /users/{id | userPrincipalName}/messages

    When using application permissions to Send Mail, you need to add permissions when Mail.Send, the request path is as follows:

    POST /users/{id | userPrincipalName}/sendMail

    For the function of listing all shared mailboxes, the Graph API does not provide such a function at present. You can obtain all user mailboxes by listing all user information, GET /users, and select the mailbox you need for access.

    Reference document:

    https://learn.microsoft.com/en-us/graph/api/user-list-messages?view=graph-rest-1.0&tabs=http

    https://learn.microsoft.com/en-us/graph/api/user-sendmail?view=graph-rest-1.0&tabs=http

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

  2. Bruce (SqlWork.com) 70,376 Reputation points
    2025-01-20T23:04:13.81+00:00

    The clientid / secret is application access and has no user id and thus no user permissions. Therefore the app can either use delegated permission of a user via their oauth token, or be given full access to all mailboxes (admin).

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.