Does `/messages` in Graph API include shared mailboxes?

Question

I'm calling https://graph.microsoft.com/v1.0/users/{user_id}/messages/ to paginate through all user messages. I'm using app permissions for access, which works fine.

But I'm getting more messages than expected, and I'm not sure why. Is it possible the /messages endpoint includes messages from shared mailboxes available to user_id, too?

If so, what is the way to suppress that? Thanks.

Answer 1

From Microsoft's Known Issues page:

GET messages returns chats in Microsoft Teams

In both the v1 and beta endpoints, the response of GET /users/id/messages includes the user's Microsoft Teams chats that occurred outside the scope of a team or channel. These chat messages have "IM" as their subject.

So the solution is to ignore all messages with subject == "IM".

Answer 2

What gives you the impression that you are getting more messages than is expected? Note that /messages returns all of the messages in the mailbox across all of the folders.

The documentation states that shared message access is performed with delegated permissions. You shouldn't be seeing shared messages when using application permissions. Does your application use the Mail.Read.Shared or Mail.ReadWrite.Shared scopes? If so, you should be able to remove them and I'd expect it shouldn't have access.