N8n SaaS application permissions instead of delegated

Questions
1

Describe the problem/error/question

We use n8n SaaS (n8n cloud) and whenever a user wants to access for example an O365 mailbox, the enterprise application on our side requests delegated permissions. These permissions are very broad so I tried to configure a separate OAuth credentials using an App registration (which we can limit to a specific mailbox) but n8n then still requests a delegated permission within this App registration.

Is this an inherent limit of the SaaS version? I read somewhere online the on-premise version does work with app registration secrets.

What is the error message (if any)?

Only option creating credentials is to ‘Connect’ using the user’s own credentials resulting in delegated permissions.

Please share your workflow

Share the output returned by the last node

Information on your n8n setup

  • n8n version: 2.4.6
  • Running n8n via (Docker, npm, n8n cloud, desktop app): n8n cloud
2

Hi @thijsssss ,
This is not actually a limitation of the SaaS version itself, but rather a design choice in how the pre-built Outlook node works.

Currently, the native Outlook node in n8n is designed to act on behalf of a user (Delegated Permissions). It essentially says, “I am User X, let me read my email.” It doesn’t support the “I am a background service, let me access this specific mailbox” flow (Application Permissions) that you are looking for.

Moving to self-hosted won’t change this behavior in the Outlook node. However, you can absolutely achieve what you want on n8n Cloud today by bypassing the pre-built node.

The Workaround: Use the HTTP Request Node

To use your App Registration with Application Permissions (Client Credentials Flow) and avoid user logins entirely:

  1. Set up a “Generic Credential”
  • Go to Credentials > New > Generic Credential Type.
  • Authentication: OAuth2 API.
  • Grant Type: Client Credentials.
  • Token URL: https://login.microsoftonline.com/{YOUR_TENANT_ID}/oauth2/v2.0/token
  • Client ID: Your App Registration ID.
  • Client Secret: Your App Secret.
  • Scope: https://graph.microsoft.com/.default (This magic scope tells Microsoft to use all Application permissions you granted in the Azure Portal).
  1. Call the API manually
  • Add an HTTP Request node.
  • Method: GET.
  • URL: https://graph.microsoft.com/v1.0/users/{[email protected]}/messages
  • Authentication: Select the generic credential you just created.

This method allows you to strictly limit access via your Azure App Registration (e.g., to specific mailboxes only) without triggering any user consent popups.

Here is a video guide that walks through this exact setup using the HTTP Request node for Microsoft Graph:

Connect Microsoft Graph API to n8n

If my answer helped solve your question, would you mind marking it as the solution?

It’ll help others find it more easily—and I’d really appreciate it!

Thanks!

3

Hi @thijsssss , welcome to the community. In these cases, I really like to use the http node with OAuth2 authentication. I’ve also seen some people using webhooks as intermediaries or cloud containers running self-hosted n8n just for these specific integrations. Can you share which specific use case you need the Application Permissions for?