MS Graph API Permissions

Affinity offers two syncing methods for Office365 / Azure users: OAuth 2.0 (delegated) and client credential (application). Depending on the method, Affinity will request slightly different MS Graph API scopes/permissions to sync your email/calendar data.

Overview

• Method #1 - Microsoft OAuth 2.0 (delegated)
• Method #2 - Client Credential (application)
  • Important callout for Client Credential

Method #1 - Microsoft OAuth 2.0 (delegated)

If you're using Microsoft OAuth 2.0, here are the scopes/permissions that Affinity will request:

• User.Read
  • Allows users to sign in to the app and enable the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.
• Mail.Read
  • Allows the app to read email in the user's mailbox. 
• Calendars.Read
  • Allows the app to read events in the user's calendar.
• Mail.Send
  • Allows the app to send mail as the user without a signed-in user.
• Profile
  • Allows the app to see your users' basic profile (name, picture, user name).
• OpenID
  • By using this permission, an app can receive a unique identifier for the user in the form of the subclaim. The consent also gives the app access to the UserInfo endpoint. The OpenID scope can be used at the Microsoft identity platform token endpoint to acquire ID tokens. The app can use these tokens for authentication.
• Email
  • Allows the app to read your user's primary email address.

Method #2 - Client Credential (application)

Please note that this is only available for our Enterprise tier customers. Here are the scopes/permissions that Affinity will request:

• Mail.Read
  • Allows the app to read mail in all mailboxes without a signed-in user.
• Mail.send
  • Allows the app to send mail as any user without a signed-in user.
• Calendars.read
  • Allows the app to read events of all calendars without a signed-in user.
• Organization.read.all
  • Allows the app to read the organization and related resources on behalf of the signed-in user. 
• User.read.all
  • Allows the app to read the full set of profile properties, group membership, reports, and managers of other users in your organization without a signed-in user.

Important callout for Client Credential

• Administrators can configure their application access policy to limit app access to only specific mailboxes rather than all the mailboxes in the organization.
• See additional information about MS client credentials.