Applies to: Microsoft Modern Exchange Connector (Graph) integrations with Riva
This article outlines the permissions Riva requires when integrating with Microsoft Graph, how to grant those permissions via Azure Active Directory, and how to securely limit mailbox access using Microsoft’s Role-Based Access Control (RBAC) for Applications.
Overview
Riva uses Microsoft Graph to access mailbox data for syncing purposes (email, calendar, tasks, etc.). Microsoft Graph requires application-level permissions for server-to-server integration scenarios, meaning the application acts as itself — not on behalf of a user.
Required Permissions
When setting up Riva with Microsoft Graph, the following permissions are required in Azure Active Directory > App registrations:
| Permission Name | Type | Description | How Permissions are Used by Riva |
|---|---|---|---|
| User.Read.All | Application | Read all users' full profiles. | Used to look up email addresses to match Microsoft mailboxes. |
| User.Read | Delegated | Read the signed-in user’s profile. | Used to look up email addresses to match Microsoft mailboxes. Only required for cloud-based multi-tenant admin consent flows.(Riva Cloud Shared Tenant) It is safe to remove for on-premises deployments. You may receive a warning from Entra ID ("this scope is required for application functionality") this can be safely ignored. |
| Calendars.ReadWrite | Application | Read and write calendar events. | Used to sync calendar items. Can be changed to Calendar.Read if write access is not required. |
| Mail.ReadWrite | Application | Read and write access to user mailboxes. | Enables email sync. Can be reduced to Mail.Read depending on your needs. |
| Mail.Send | Application | Send mail as any user. | Allows Riva to send messages, such as tracking tokens or forwarded emails. Riva has optional functionality that makes use of this permission to send out an email summary of errors Riva has encountered. If customers are not utilizing this feature, that this permission can be removed. |
| MailboxSettings.ReadWrite | Application | Full access to mailbox settings. | Required to read/write user-specific settings like categories, time zones, and work hours. Riva utilizes this permission to update the MasterCategory list to include new Riva-specific categories with the specific admin-defined colors. |
| Contacts.ReadWrite | Application | Read and write access to user contacts. | Used for contact sync. Can be limited to Contacts.Read if write access is unnecessary. |
| GroupMember.Read.All | Application | Read all group memberships for all users. | Allows Riva to expand distribution lists and gather group memberships. |
| Tasks.ReadWrite.All | Application | Read and write all users tasks and tasklists | Allows Riva to sync Tasks and Tasklists |
Note:
All permissions are granted at the application level, ensuring secure, consistent access without requiring per-user authentication
Existing accounts with active Microsoft Graph connections do not require re-validation. However, administrators must grant admin consent for the newly added permissions to ensure continued functionality.
Granting Admin Consent
Once the permissions are configured for the Riva application, admin consent must be granted:
- Sign in to the Azure portal.
- Go to Azure Active Directory > Enterprise Applications.
- Find and select your Riva application.
- Click Permissions > Grant admin consent for [Tenant Name].
This consent allows Riva to access mailboxes based on the permissions granted.
Limiting Mailbox Access (Recommended)
By default, application permissions grant access to all mailboxes in the Microsoft 365 tenant. To apply the principle of least privilege and limit Riva’s access only to specific users, Microsoft now recommends using Role-Based Access Control (RBAC) for Applications.
Riva strongly recommends this approach for securing your integration.
See detailed steps in our guide:
Limiting Mailbox and User Access with Application Permissions using RBAC
RBAC Highlights
- Use a mail-enabled security group to define which mailboxes Riva can access.
- Create a custom management scope in Exchange Online.
- Assign that scope to the Riva application using a management role assignment.
- Verify access using PowerShell.
Note: Microsoft is phasing out Application Access Policies. RBAC for Applications is the long-term supported method for access control.
After Consent and RBAC
Once permissions and scope have been granted:
- Riva will automatically detect and use Microsoft Graph as the sync method.
- Only mailboxes within the RBAC-defined scope (security group) will be synced.
- No user passwords or interactive logins are required.
Troubleshooting
| Issue | Suggested Action |
|---|---|
| Access to mailboxes failing | Ensure mailboxes are members of the RBAC security group |
| Permissions not taking effect | Wait 15–30 minutes for changes to propagate |
| Admin consent fails | Ensure you are using a Global Administrator account |
| Graph API errors in Riva | Check that the necessary Graph permissions are granted and consented properly |
Related Articles
- Limiting Mailbox and User Access with Application Permissions using RBAC
- Connect to Exchange Online PowerShell
- Microsoft Graph API Permissions Reference
Related to