Microsoft Graph: how to list only the mailboxes a delegated user can access, not all users in the tenant?

Akshay Babar 65 Reputation points
2026-06-16T16:56:41.61+00:00

I'm building an integration with Microsoft Graph using delegated permissions

(OAuth2 authorization-code / refresh-token flow, with Mail.Read and Mail.Read.Shared).

In a setup screen, the signed-in user needs to pick which mailboxes the integration

should read from — and they should only see mailboxes they actually have access to

(their own mailbox plus any shared mailboxes / delegated mailboxes granted to them).

Today I populate that list with:

GET https://graph.microsoft.com/v1.0/users

but this returns every user in the Azure AD tenant (the whole directory), regardless

of mailbox access. So the user sees every mailbox in the organization, which is wrong.

Questions:

  1. Is there a Graph endpoint that returns the mailboxes a given (signed-in) user has been granted access to — shared mailboxes and delegate access — rather than the full directory?
  2. If not, is the recommended approach to enumerate candidates and then probe each one, e.g.:
    GET https://graph.microsoft.com/v1.0/users/{userOrEmail}/mailFolders/inbox?$select=id
    
    and keep only the ones that return 200, treating 403 (ErrorAccessDenied) and 404 (MailboxNotEnabledForRESTAPI) as "no access"? Is relying on these status codes a supported/stable way to detect access?
  3. Are there better-scaling alternatives — e.g. restricting via an ApplicationAccessPolicy and a mail-enabled security group, then listing only that group's members (GET /groups/{id}/members)?

Any guidance on the canonical way to scope the mailbox list to a user's actual access

would be appreciated.

Microsoft Security | Microsoft Graph
0 comments No comments

2 answers

Sort by: Most helpful
  1. Vasil Michev 127.2K Reputation points MVP Volunteer Moderator
    2026-06-16T17:22:42.8333333+00:00

    No, Graph has very limited support for Exchange scenarios, and enumerating permissions is not one of them. The best you can do with it is leverage the recently introduced "admin API", which effectively allows you to run the Get-MailboxFolderPermission cmdlet, but that only covers folder-level permissions, and not Full Access ones. Here's the relevant documentation: https://learn.microsoft.com/en-us/exchange/reference/admin-api-get-started

    And my take on the API: https://michev.info/blog/post/7142/quick-look-at-the-new-exchange-admin-api-additions

    A better solution would be to leverage the Exchange Online PowerShell cmdlets directly, or the underlying REST API that powers them on the backend. You will need an application with Exchange.Manage permissions for this however, and a dependence on the ExO PowerShell module. The "raw" API is another alternative, but it is not officially supported. Just in case, here's how to leverage it: https://michev.info/blog/post/5822/all-you-need-to-know-about-exchange-online-admin-api-or-how-to-run-cmdlets-without-powershell

    Was this answer helpful?

    0 comments No comments

  2. AI answer

    2026-06-16T16:57:02.9966667+00:00
    1. There is no Microsoft Graph endpoint in the provided context that returns “only the mailboxes the signed-in user can access”. The mail API overview states that Microsoft Graph can access a user’s primary mailbox and shared mailboxes the user has permission to access, but it does not describe any API that enumerates that set of mailboxes for a user.
    2. The context documents describe mail-related permissions such as Mail.Read, Mail.Read.Shared, Mail.ReadWrite, Mail.ReadWrite.Shared, and Mail-Advanced.ReadWrite.Shared, and explain what each allows:
      • Mail.Read (delegated) – read the signed-in user’s mailbox.
      • Mail.Read.Shared (delegated) – read user and shared basic mail the signed-in user can access, except for body and attachments.
      • Mail.ReadWrite.Shared (delegated) – create, read, update, delete mail the user can access, including shared mail.
      These permissions control what the app can do once a mailbox is known, but the context does not document a supported pattern of “probing” arbitrary users’ mailboxes (for example, calling /users/{id}/mailFolders/inbox and interpreting 200/403/404) as a canonical or stable way to discover which mailboxes the signed-in user can access. The stability or supportability of relying on those status codes for discovery is not covered in the provided material.
    3. The context mentions that administrators can configure an application access policy to limit app access to specific mailboxes even when broad application permissions like Mail.Read or Mail.ReadWrite are granted. However, this is described for application permissions (app-only access) and not as a discovery mechanism for delegated access. The documents do not describe using a mail-enabled security group plus application access policies, combined with listing group members, as a recommended or canonical pattern for scoping a mailbox list for a delegated user.

    Based on the available context, only the permission scopes and high-level capabilities are documented; no canonical Graph pattern is provided for enumerating “mailboxes a delegated user can access,” nor for using HTTP status codes as a supported discovery mechanism.


    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.