Wsgetmail, azure app configuration

I’m trying to get wsgetmail working on a shared MS365 mailbox, or even just a regular mailbox for testing. I believe I have the wsgetmail bit working:

$ wsgetmail --config=wsgetmail_test_rt.conf --debug

fetching mail using configuration wsgetmail_test_rt.conf
making GET request to url at /usr/local/share/perl/5.34.0/App/wsgetmail/MS365/ line 222.
getting system access token at /usr/local/share/perl/5.34.0/App/wsgetmail/MS365/ line 288.
failed to fetch folder detail 403 Forbidden at /usr/local/share/perl/5.34.0/App/wsgetmail/ line 340.
unable to fetch messages, can’t find folder RT at /usr/local/share/perl/5.34.0/App/wsgetmail/ line 386.

But I’m stuck on the permissions, I think, on the Azure side. The App::wsgetmail documentation at CPAN says to add “Application permissions”:


But some of those are “Delegated permissions” instead. If I add them all from “Delegated permissions”, I get the output from above: I’m forbidden to read something somewhere.

The “Application permissions” I can choose from that set require Admin consent, and my admins are rightfully reluctant to grant permission for my app to read “all mailboxes”, unless we can be sure my app is locked down to just my helpdesk mailbox.

At what point in the app registration/configuration do I lock it down to specific mailbox(es)?

I’m trying to follow along in the MS documents the wsgetmail documentation links to, to see if that’s the way forward, but I’m lost in a sea of browsers and tabs, and getting myself and my app tied in knots about API permissions and roles. Do I need to be looking at roles and such?


I have the same configuration as you describe, and mine is working. The issue I found was with the later versions of the app somehow broke something, I never had the time to troubleshoot it, but I am still using version 0.06 without any issues. Give it a try.

After you have successfully connected the app, and you can get emails from mailboxes, follow the guide below to limit the access to specific mailboxes. Otherwise, you are adding unneeded complexity.

Limiting application permissions to specific Exchange Online mailboxes - Microsoft Graph | Microsoft Learn

This was exactly what I needed. Thanks!

Version 0.08 worked for me, as well. Perhaps because it was a fresh install.

With version 0.08 and delegated permissions I got the following error (and we cannot use application permissions instead of delegated):

making GET request to url at /usr/local/share/perl/5.36.0/App/wsgetmail/MS365/ line 224.
getting system access token at /usr/local/share/perl/5.36.0/App/wsgetmail/MS365/ line 290.
failed to fetch folder detail 403 Forbidden at /usr/local/share/perl/5.36.0/App/wsgetmail/ line 370.
response from server : {"error":{"code":"ErrorAccessDenied","message":"Access is denied. Check credentials and try again."}} at /usr/local/share/perl/5.36.0/App/wsgetmail/ line 371.
unable to fetch messages, can't find folder Inbox at /usr/local/share/perl/5.36.0/App/wsgetmail/ line 418.

fetching mail using configuration /home/de_rt/App-wsgetmail-0.08/wsgetmail.json

I’m sorry, I won’t be further help on this. Everything I was able to find said that at least some of the permissions had to be Application, not Delegated. I don’t have the permissions on our Azure tenant to test that condition.

What was the end-result of this scenario?

Does this mean that we can’t lock-down the access to only specific mailboxes?

I was hoping someone who actually knows would answer. My best response is “I hope so!”, but any restriction must happen at a higher level of authority than I have on our tenant.

On the wsgetmail side, you “lock it down” by only querying a specific folder for a specific username.