WSGetmail Azure API permissions confusion - O365 Email

Hello, I’m working to transition our RT config from ICMP/SMTP via fetchmail to WSGetmail and am finding the documentation somewhat confusing. I handle IT for a specific department at a university so my permissions in the Azure portal are somewhat limited and my experience with Azure extremely limited.

Item 1 - The documentation specifies API permissions to be selected under the heading “Application permissions”, but when I select “Application permissions” several of these items are missing. “Mail.Read.Shared”, “Mail.ReadWrite.Shared”, “openid”, and “User.Read” are all only present under “Delegated permissions”, not “Application permissions”. Is this an issue with my permissions in the Azure portal preventing me from seeing the right options? Or should I be selecting the “Delegated permissions” versions instead?

Item 1B - If the items are supposed to be delegated instead of application, how do I go about consenting to these? With other application registrations I’ve done the user is shown a consent popup the first time, but I don’t know how that could be accomplished from the Linux command line with RT.

Item 2 - When configuring the client secret the documentation notes that client secrets can be granted limited access to only specific mailboxes, but doesn’t elaborate further. I found this page but do not have the necessary permissions at the university to test if it’s what I’m looking for. Is that the correct page? Several of the Application permission API items require the university administration to grant admin consent in the Azure portal, but the wording on them has so far stopped that from happening. For instance, Mail.Read says “Read mail in all mailboxes”, and they definitely will not let one department in the university get API access to all mailboxes.

Thank you for your time.

Hi,

Item 1
I used all the available permissions in the “Application permissions” section
enable the rest in the “Delegated permissions” section. In the Application type, I could only find Mail.Read and Mail.ReadWrite.

Item 1B
After granting the permissions in Item 1, click the “Grant admin consent for ” button to approve the app permissions. “Grant tenant-wide admin consent to an application - Microsoft Entra | Microsoft Learn

Item 2
Yes, this is the correct page. The wording “Read mail in all mailboxes” will remain, the actual permissions are not clearly visible in the azure portal (as far as I know). Although you can view them by listing your application access policies.

To restrict the permissions the steps are the below :

  1. Create a new mail-enabled security group as described here “Manage mail-enabled security groups in Exchange Online | Microsoft Learn
  2. Add the mailboxes, you want RT to have access, in the group
  3. Create the application access policy as described here “New-ApplicationAccessPolicy (ExchangePowerShell) | Microsoft Learn
  4. Test it with the commands provided
  5. Wait for the policy to be applied, this needs more than one hour to get applied as stated by Microsoft here “Limiting application permissions to specific Exchange Online mailboxes - Microsoft Graph | Microsoft Learn