Microsoft Graph API文档中的"Mail.Read"权限是否真的意味着"Mail.Read.All"? [英] Does the permission 'Mail.Read' really mean 'Mail.Read.All' in the Microsoft Graph API documentation?
问题描述
对于在 https://上找到的文档,我有些困惑graph.microsoft.io/en-us/docs/authorization/permission_scopes
Mail.Read列出了两次,但两次都表示不同的意思.第一个实例"[a]允许应用程序读取用户邮箱中的电子邮件",第二个实例"[a]允许应用程序读取所有邮箱中没有登录用户的邮件".第二种听起来应该得到所有"限定词,不应与第一种混淆,因为它们做的是不同的事情.
Mail.Read is listed twice but appears to mean different things both times. The first instance "[a]llows the app to read email in user mailboxes" while the second "[a]llows the app to read mail in all mailboxes without a signed-in user". The second sounds like it deserves the "all" qualifier and should not be confused with the first, since they do different things.
This is particularly relevant when the permission scope is a prerequisite (https://graph.microsoft.io/en-us/docs/api-reference/v1.0/api/user_list_messages). What kind of behaviour can we expect?
那么,我的主要问题是,我是否认为没有办法拥有允许已登录用户读取所有邮件的委派权限?而是我们必须使用仅应用程序权限?该文档给了我一点希望,如果没有仅应用程序的许可,这是有可能的,但是反复尝试却提出了其他建议.
My main question, then, is that am I right in thinking that there's no way to have delegated permissions that allow all mail to be read by the signed in user? That, instead, we have to use the app-only permission? The documentation gave me a sliver of hope that it was possible without app-only permissions but trial and error have suggested otherwise.
推荐答案
应用程序"和委派"权限都有单独的Mail.Read权限.
There is a separate Mail.Read permission for both Application and Delegated permissions.
首先查看标题为仅应用程序权限与委派权限"的部分
First take a look at the section titled "App-only vs. delegated permissions"
权限范围可以是仅应用程序或委托的.仅应用范围 (也称为应用程序角色)为应用程序授予全部特权 由范围提供.仅限应用程序的作用域通常由以下应用程序使用 在没有登录用户在场的情况下作为服务运行.
Permission scopes can be either app-only or delegated. App-only scopes (also known as app roles) grant the app the full set of privileges offered by the scope. App-only scopes are typically used by apps that run as a service without a signed-in user being present.
委派的权限范围适用于代表用户操作的应用程序. 这些范围委派了登录用户的权限,从而允许 该应用程序充当用户.授予应用程序的实际特权 将是的最低特权组合(交集) 范围所授予的特权以及登录者所拥有的特权 用户.例如,如果权限范围授予委派的特权 写入所有目录对象,但登录用户具有特权 仅更新自己的用户个人资料,该应用将只能 写下登录用户的个人资料,但不写其他对象.
Delegated permission scopes are for apps that act on behalf of a user. These scopes delegate the privileges of the signed-in user, allowing the app to act as the user. The actual privileges granted to the app will be the least privileged combination (the intersection) of the privileges granted by the scope and those possessed by the signed-in user. For example, if the permission scope grants delegated privileges to write all directory objects, but the signed-in user has privileges only to update their own user profile, the app will only be able to write the signed-in user's profile but no other objects.
不需要管理员同意的权限"是委派权限,而需要管理员同意的仅应用程序权限"是仅应用程序权限,这就是为什么它出现两次的原因.
"Permissions not requiring administrator's consent" are delegated permissions, while "App-only permissions requiring administrator's consent" are the app-only permissions, which is why it shows up twice.
接下来要意识到的是,当您获得委托令牌时,您的应用程序所拥有的权限将是用户所拥有的权限与同意所授予的权限的交集.因此,使用已登录用户的令牌,您将只能读取用户有权访问的邮件,其范围由Mail.Read.Shared
The next thing to realize is that when you get a delegated token, the permissions your app has will be the intersection of the permissions the user has, and the permissions granted by consent. Therefore, with the signed in user's token, you will only be able to read the mail that user has access to, the extent of which is captured by Mail.Read.Shared
Mail.Read.Shared
Read user and shared mail
Allows the app to read mail that the user can access, including the user's own and shared mail.
如果要访问租户中所有用户的邮件,则必须具有具有该访问级别的用户帐户...,或者需要使用授予该访问范围的仅应用程序"令牌.
If you want to access the mail for all the user's in your tenant, then you must have a user account that has that level of access... or you need to use an App Only token which grants that scope of access.
Mail.Read
Read mail in all mailboxes
Allows the app to read mail in all mailboxes without a signed-in user.
让我知道这是否有帮助!
Let me know if this helps!
这篇关于Microsoft Graph API文档中的"Mail.Read"权限是否真的意味着"Mail.Read.All"?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
