I'm a bit confused regarding the documentation found at https://graph.microsoft.io/en-us/docs/authorization/permission_scopes
Mail.Read is listed twice but appears to mean different things both times. The first instance "[a]llows the app to read email in user mailboxes" while the second "[a]llows the app to read mail in all mailboxes without a signed-in user". The second sounds like it deserves the "all" qualifier and should not be confused with the first, since they do different things.
This is particularly relevant when the permission scope is a prerequisite (https://graph.microsoft.io/en-us/docs/api-reference/v1.0/api/user_list_messages). What kind of behaviour can we expect?
My main question, then, is that am I right in thinking that there's no way to have delegated permissions that allow all mail to be read by the signed in user? That, instead, we have to use the app-only permission? The documentation gave me a sliver of hope that it was possible without app-only permissions but trial and error have suggested otherwise.
There is a separate Mail.Read permission for both Application and Delegated permissions.
First take a look at the section titled "App-only vs. delegated permissions"
Permission scopes can be either app-only or delegated. App-only scopes
(also known as app roles) grant the app the full set of privileges
offered by the scope. App-only scopes are typically used by apps that
run as a service without a signed-in user being present.
Delegated permission scopes are for apps that act on behalf of a user.
These scopes delegate the privileges of the signed-in user, allowing
the app to act as the user. The actual privileges granted to the app
will be the least privileged combination (the intersection) of the
privileges granted by the scope and those possessed by the signed-in
user. For example, if the permission scope grants delegated privileges
to write all directory objects, but the signed-in user has privileges
only to update their own user profile, the app will only be able to
write the signed-in user's profile but no other objects.
"Permissions not requiring administrator's consent" are delegated permissions, while "App-only permissions requiring administrator's consent" are the app-only permissions, which is why it shows up twice.
The next thing to realize is that when you get a delegated token, the permissions your app has will be the intersection of the permissions the user has, and the permissions granted by consent. Therefore, with the signed in user's token, you will only be able to read the mail that user has access to, the extent of which is captured by Mail.Read.Shared
Mail.Read.Shared
Read user and shared mail
Allows the app to read mail that the user can access, including the user's own and shared mail.
If you want to access the mail for all the user's in your tenant, then you must have a user account that has that level of access... or you need to use an App Only token which grants that scope of access.
Mail.Read
Read mail in all mailboxes
Allows the app to read mail in all mailboxes without a signed-in user.
Let me know if this helps!
