{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 手持菜刀,她持情操 的问题《Graph authentication through Client Credentials fl》','https://www.manongdao.com/q-1249729.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a daemon script that needs to access my Office 365 inbox to read messages. Currently I am using basic authentication with V1.0 of the Outlook Rest API, which works well but since it is being discontinued I am looking to move to the Graph API and OAuth 2.0 authentication. The client credentails flow, as described here seems to be the best option for a daemon script, however, I'm confused on the scope of the permissions that the app will have. The article I linked above makes it look as if the app will have access to the entire organization but I only need the script to be able to access my own account. I don't want my app to have access to other users' accounts and I don't think our I.T. department would allow that either.
So, what is the scope of the app's permission when using client-credentials authentication? If the answer is "the whole organization", then is there a way to limit the permissions to just my account? If not, what are my other options?
Edit: A similar question was asked here but did not get any answers.
That is correct. If you use Client Credentials, you are by definition using Application Scopes. These tokens have no "user" context and are therefore tenant-wide permissions. This is why Application Scopes always require Admin Consent before they can be used.
From the documentation:
If this is just for your mailbox rather than something you're deploying to others, you can use the Authorization Code Grant with the
offline_accessscope to obtain both anaccess_tokenandrefresh_token.Once you've "seeded" your app with the token, the app can use the
refresh_tokento obtain a newaccess_tokenwhen it expires. You may occasionally need to re-seed your app/service (for example, if your password changes) but otherwise, it should work without interaction.