I'm trying to download emails through Office365 app in MVC web app. And I'm struggling with configuring app permissions on Azure Active directory. Permission says: "Read mail in All mailboxes" however I want to choose which mailboxes it can access/read.

Does anyone know ho to be more specific in setting up permissions in AAD? Thanks for any help.

string authority = "https://login.microsoftonline.com/" + SettingsHelper.TenantId + "/oauth2/token";

var credential = new ClientCredential(SettingsHelper.ClientId, SettingsHelper.ClientSecret);
AuthenticationContext authContext = new AuthenticationContext(authority);
var authResult = await authContext.AcquireTokenAsync("https://graph.microsoft.com", credential);
var graphserviceClient = new GraphServiceClient(
    new DelegateAuthenticationProvider(
           (requestMessage) =>
           {
               requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", authResult.AccessToken);

               return Task.FromResult(0);
           }));

//This is Ok. I want to read this.
var allowedEmails = await graphserviceClient.Users["xxx@mydom.com"].Messages.Request().GetAsync();

//This is forbidden. I want to restrict this on AAD level.
var dissabledEmails = await graphserviceClient.Users["yyy@mydom.com"].Messages.Request().GetAsync();

The app which used the Client Credential flow to authenticate doesn't support the restrict the app to read the specific emails.

But would you mind share the scenario you are working? The Client Credential flow is used for the confident app which means the app is working in a safe environment. There is no malicious user could get the token to access the information you don't want to publish. So you can just limit the resource in your own app. Hope it is helpful.