Azure App registration using user+app access vs app-only access

Question

I am developing an azure web app service called emailservice, which is supposed to communicate to a mailbox created in office365 exchange online. Suppose the user account for the mailbox is x @y-domain.com. The webapp is supposed to retrieve messages automatically form the inbox or send messages when an special events happen. I have decided to use Microsoft graph api for this matter. I need to do app registration. I am not sure whether I should use user+app access or app-only access. I am not sure if both of accesses are possible, and it is just matter of choice which one to use. I have seen code snippet where they suggest to have app only access + Mail.ReadWrite and Mail.Send permissions. Again, I am not sure it is just a matter of choice or user+app access can be used for this scenario as well. I would appreciate if someone shed some light on this.

I have some Microsoft documents but not sure which one is suitable or whether both of them possible for the scenario I described.

Answer 1

User+App access allows your application to act on behalf of a signed-in user that uses Delegated permissions where user interaction is needed to acquire token.

I registered one Azure AD application and granted Mail.Read permission of Delegated type like this:

With Delegated permissions, you can only read mails of signed-in user(/me endpoint) and shared mailbox.

User+App access in C# (Interactive flow):

using Azure.Identity;
using Microsoft.Graph;
using Microsoft.Graph.Models.ODataErrors;

var scopes = new[] { "https://graph.microsoft.com/.default" };
var tenantId = "tenantId";
var clientId = "appId";

var options = new InteractiveBrowserCredentialOptions
{
    TenantId = tenantId,
    ClientId = clientId,
    AuthorityHost = AzureAuthorityHosts.AzurePublicCloud,
    RedirectUri = new Uri("http://localhost"),
};

var interactiveCredential = new InteractiveBrowserCredential(options);

var graphClient = new GraphServiceClient(interactiveCredential, scopes);

try
{
    var messages = await graphClient.Me.Messages.GetAsync();
    foreach (var message in messages.Value)
    {
        Console.WriteLine($"Subject: {message.Subject}");
    }
}

catch (ODataError odataError)
{
    Console.WriteLine(odataError.Error.Code);
    Console.WriteLine(odataError.Error.Message);
}

Response:

App-only scenario lets the application act without a signed-in user using permissions of Application type that gives you access to read any user's mailbox in the tenant.

For this, I registered one application and granted permissions of Application type as below:

With Application permissions, you can read mails of any user present in the tenant without any login to acquire token.

App-only access in C# (Client credentials flow)

using Azure.Identity;
using Microsoft.Graph;
class Program
{
    static async Task Main(string[] args)
    {
        var scopes = new[] { "https://graph.microsoft.com/.default" };
        var tenantId = "tenantID";
        var clientId = "appID";
        var clientSecret = "secret";

        var options = new TokenCredentialOptions
        {
            AuthorityHost = AzureAuthorityHosts.AzurePublicCloud,
        };

        var clientSecretCredential = new ClientSecretCredential(tenantId, clientId, clientSecret, options);

        var graphClient = new GraphServiceClient(clientSecretCredential, scopes);

        try
        {
            var messages = await graphClient.Users["[email protected]"].Messages.GetAsync();

            foreach (var message in messages.Value)
            {
                Console.WriteLine($"Subject: {message.Subject}");
            }
        }
        catch (ServiceException serviceException)
        {
            Console.WriteLine(serviceException.Message);
        }
    }
}

Response: