0

I'm currently looking at this https://learn.microsoft.com/en-us/graph/webhooks#subscription-request-example

which for convenience I'll provide a screenshot of below

enter image description here

and the highlighted part confuses me. How exactly does someone go about giving my app permission to subscribe to their mailbox resource?

notacorn
  • 3,526
  • 4
  • 30
  • 60
  • The Global Admin can go to your app in the Azure Portal and click the button for Granting Consent. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent – Daniel Björk Jul 27 '20 at 06:39
  • so does this mean if there are users on an enterprise system, individual users wouldnt be able to grant third party access to their own resources? @DanielBjörk – notacorn Jul 27 '20 at 17:35

1 Answers1

1

Permissions (scopes) are requested by an application within a context:

  • app-only, which carries only the information of the application.
  • delegated, sometimes called user-context, which carries the information of the user using the application.

Depending on the "impact" of a permission, and on policies that can be defined by the tenant administrators, user can consent (or not) to certain permission requests on the resources they own (in the case of a delegated context, app-only permissions always require admin consent).

Generally speaking, the permissions required to subscribe to a certain resource are the same that are required to read the resource.

You can find a reference of which permission is required for which resource here.

If we take the example of messages (emails) it requires the Mail.Read permission to subscribe. In general this permission can be consented by regular users and does not require an administrator. However administrators can setup policies to require that administrator consent, preventing users from consenting directly themselves.

baywet
  • 4,377
  • 4
  • 20
  • 49