Sivaprakash_saripalli stated: “IMAP, SMTP scopes are targeted for Exchange resource and not Graph. Whereas User.Read, Mail.ReadWrite are meant for Graph resource” and developers on StackOverflow have noted that IMAP and SMTP AUTH scopes appear only to work when the scope URI in the client is https://outlook.office.com but with the corresponding resource permissions in AAD set in Graph and not in (e.g.) ‘legacy’ Exchange because, unlike Graph, the Exchange API (https://outlook.office365.com) does not have (e.g.) an SMTP.Send permission and there is no Outlook API shown in the API list at all.
Example:
Client: scope ‘https://outlook.office.com/SMTP.Send’
AAD: permission from Microsoft Graph (‘https://graph.microsoft.com’) API’s list: SMTP.Send
It would be much appreciated by other posters and myself if Sivaprakash_saripalli or The_Exchange_Team colleague could explain how - if we specify an SMTP AUTH scope using https://outlook.office.com/SMTP.Send - we should specify this permission to AAD when (e.g.) SMTP.Send is only selectable for Graph and not the Exchange API?
Or is there a difference between a ‘scope’ URI used in the client and the corresponding permission URI specified for that API in AAD?
Scopes requested by a client (including the resource API’s URI - which for the V2 endpoints defaults to graph.microsoft.com if no URI is specified) for an access token MUST be a subset of the permissions for that API set by admin in AAD for that client or the entire granular permissions model falls apart. I realise that Graph now includes much of the features of the Outlook REST API, but what confuses me and my colleagues is why the client scope URI and the AAD permissions URI are different.