Outlook Node - Custom Scopes

Questions
,
1

Describe the problem/error/question

I want to deploy an Outlook connector to my organisation, but don’t want users to have the ability to send email. However, when you attempt to connect an Outlook credential, it requires the Mail.Send permission on the application to be active. I assume this is because the scope is hard baked into the credential configuration.

Is there a way to use the Outlook connector without having the Mail.Send ability on the app registration?

What is the error message (if any)?

No error message

Information on your n8n setup

  • n8n version: Unknown right now, currently not onsite to get access (sorry)
  • Database (default: SQLite): SQLite
  • n8n EXECUTIONS_PROCESS setting (default: own, main): default
  • Running n8n via (Docker, npm, n8n cloud, desktop app): docker
  • Operating system: Linux
2

@Freddyg303 yeah the built-in Outlook credential hardcodes Mail.Send into the scopes, no way to strip it from the node side. workaround is skip the Outlook node and use HTTP Request with a generic OAuth2 API credential where u define only the scopes u want.

credential setup:

  • new credential, type: OAuth2 API
  • Grant Type: Authorization Code
  • Authorization URL: Sign in to your account
  • Access Token URL: Sign in to your account
  • Scope: openid offline_access Mail.Read (whichever ones u actually need)
  • Client ID/Secret from ur app registration

then hit MS Graph directly:

users now only consent to what u listed, no Mail.Send prompt at all. swap the URL for whatever action u need (list/read/move/delete all live under /me/messages on the Graph API)

3

Hi @Freddyg303

To use Outlook without the Mail.Send permission, follow these two steps:

1)Use a General Credential: Create a “Microsoft OAuth2 API” credential instead of the Outlook-specific one. This unlocks the Scope field, allowing you to manually enter only the permissions you need (like Mail.Read) while omitting Mail.Send.
2)Use the HTTP Request Node: Since the built-in Outlook node requires the locked-down credential, use the HTTP Request node to interact with the Microsoft Graph API. Set the authentication to your new general Microsoft credential to perform your tasks.