Microsoft Graph API 文档中的权限 'Mail.Read' 真的意味着 'Mail.Read.All' 吗?
Does the permission 'Mail.Read' really mean 'Mail.Read.All' in the Microsoft Graph API documentation?
我对 https://graph.microsoft.io/en-us/docs/authorization/permission_scopes
中的文档有点困惑
Mail.Read 被列出了两次,但两次似乎意味着不同的东西。第一个实例“[a]允许应用程序读取用户邮箱中的电子邮件”,而第二个实例“[a]允许应用程序在没有登录用户的情况下读取所有邮箱中的邮件”。第二个听起来应该有 "all" 限定符,不应与第一个混淆,因为它们做不同的事情。
当权限范围是先决条件 (https://graph.microsoft.io/en-us/docs/api-reference/v1.0/api/user_list_messages) 时,这一点尤为重要。我们可以期待什么样的行为?
那么,我的主要问题是,我是否认为没有办法拥有允许登录用户阅读所有邮件的委派权限?那,相反,我们必须使用仅限应用程序的权限?该文档给了我一线希望,即没有仅应用程序权限也是可能的,但反复试验表明并非如此。
应用程序权限和委派权限都有单独的 Mail.Read 权限。
首先看一下标题为 "App-only vs. delegated permissions"
的部分
Permission scopes can be either app-only or delegated. App-only scopes
(also known as app roles) grant the app the full set of privileges
offered by the scope. App-only scopes are typically used by apps that
run as a service without a signed-in user being present.
Delegated permission scopes are for apps that act on behalf of a user.
These scopes delegate the privileges of the signed-in user, allowing
the app to act as the user. The actual privileges granted to the app
will be the least privileged combination (the intersection) of the
privileges granted by the scope and those possessed by the signed-in
user. For example, if the permission scope grants delegated privileges
to write all directory objects, but the signed-in user has privileges
only to update their own user profile, the app will only be able to
write the signed-in user's profile but no other objects.
"Permissions not requiring administrator's consent" 是委托权限,而 "App-only permissions requiring administrator's consent" 是 app-only 权限,这就是它出现两次的原因。
接下来要意识到的是,当您获得委托令牌时,您的应用程序拥有的权限将是用户拥有的权限与同意授予的权限的交集。因此,使用登录用户的令牌,您将只能阅读该用户有权访问的邮件,其范围由 Mail.Read.Shared
捕获
Mail.Read.Shared
Read user and shared mail
Allows the app to read mail that the user can access, including the user's own and shared mail.
如果您想访问租户中所有用户的邮件,那么您必须拥有具有该访问级别的用户帐户...或者您需要使用授予该范围的仅限应用程序令牌访问。
Mail.Read
Read mail in all mailboxes
Allows the app to read mail in all mailboxes without a signed-in user.
如果有帮助请告诉我!
我对 https://graph.microsoft.io/en-us/docs/authorization/permission_scopes
中的文档有点困惑Mail.Read 被列出了两次,但两次似乎意味着不同的东西。第一个实例“[a]允许应用程序读取用户邮箱中的电子邮件”,而第二个实例“[a]允许应用程序在没有登录用户的情况下读取所有邮箱中的邮件”。第二个听起来应该有 "all" 限定符,不应与第一个混淆,因为它们做不同的事情。
当权限范围是先决条件 (https://graph.microsoft.io/en-us/docs/api-reference/v1.0/api/user_list_messages) 时,这一点尤为重要。我们可以期待什么样的行为?
那么,我的主要问题是,我是否认为没有办法拥有允许登录用户阅读所有邮件的委派权限?那,相反,我们必须使用仅限应用程序的权限?该文档给了我一线希望,即没有仅应用程序权限也是可能的,但反复试验表明并非如此。
应用程序权限和委派权限都有单独的 Mail.Read 权限。
首先看一下标题为 "App-only vs. delegated permissions"
的部分Permission scopes can be either app-only or delegated. App-only scopes (also known as app roles) grant the app the full set of privileges offered by the scope. App-only scopes are typically used by apps that run as a service without a signed-in user being present.
Delegated permission scopes are for apps that act on behalf of a user. These scopes delegate the privileges of the signed-in user, allowing the app to act as the user. The actual privileges granted to the app will be the least privileged combination (the intersection) of the privileges granted by the scope and those possessed by the signed-in user. For example, if the permission scope grants delegated privileges to write all directory objects, but the signed-in user has privileges only to update their own user profile, the app will only be able to write the signed-in user's profile but no other objects.
"Permissions not requiring administrator's consent" 是委托权限,而 "App-only permissions requiring administrator's consent" 是 app-only 权限,这就是它出现两次的原因。
接下来要意识到的是,当您获得委托令牌时,您的应用程序拥有的权限将是用户拥有的权限与同意授予的权限的交集。因此,使用登录用户的令牌,您将只能阅读该用户有权访问的邮件,其范围由 Mail.Read.Shared
Mail.Read.Shared
Read user and shared mail
Allows the app to read mail that the user can access, including the user's own and shared mail.
如果您想访问租户中所有用户的邮件,那么您必须拥有具有该访问级别的用户帐户...或者您需要使用授予该范围的仅限应用程序令牌访问。
Mail.Read
Read mail in all mailboxes
Allows the app to read mail in all mailboxes without a signed-in user.
如果有帮助请告诉我!