{"id":25479,"date":"2026-03-26T11:25:52","date_gmt":"2026-03-26T18:25:52","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/?p=25479"},"modified":"2026-03-26T11:25:52","modified_gmt":"2026-03-26T18:25:52","slug":"graph-api-updates-to-sensitive-email-properties","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/graph-api-updates-to-sensitive-email-properties\/","title":{"rendered":"Breaking Change Ahead: Graph API Updates to Sensitive Email Properties"},"content":{"rendered":"

We’re implementing a significant update in our service affecting applications that modify sensitive email properties on non-draft email messages. These sensitive email properties include the subject, body, recipients, and a number of other properties when changed using any of the message update methods on Graph API<\/a>.<\/p>\n

Immutability of received email messages<\/h2>\n

There’s a fundamental expectation that once you receive an email message, it should remain unchanged except for specific management-related properties such as read status, flags, and similar attributes. Critical components like the address list, subject, and body text shouldn’t be altered unless a new draft message is created. Exceptions to this rule are specialized use-cases, particularly within the security domain, such as identifying suspicious emails and other privileged operations.<\/p>\n

Required permissions for modifying sensitive email properties<\/h2>\n

To maintain the expected immutability of email messages during standard management operations, we will begin restricting applications from modifying sensitive email properties in non-draft messages unless they possess elevated permissions. Specifically, applications must have one of the following permissions: Mail-Advanced.ReadWrite<\/a><\/strong>, Mail<\/strong>–Advanced.ReadWrite.All<\/strong><\/a>, or Mail-Advanced.ReadWrite.Shared<\/a><\/strong>, depending on the scenario. All these permissions require a tenant administrator consent.<\/p>\n

The Update message<\/strong> documentation<\/a>\u00a0identifies sensitive properties as those that are only updateable if isDraft = true<\/strong>. Once the restriction goes into effect, you can only update these properties in non-draft messages if the application has Mail-Advanced.ReadWrite<\/strong> permissions. Draft messages will continue to be updateable with the current Mail.ReadWrite<\/strong> permissions.<\/p>\n

Timeline and recommendations<\/h2>\n

These required permissions are already available. Enforcement of the new restrictions in our service \u2013 blocking Graph API updates to sensitive email properties \u2013 will begin on 12\/31\/2026<\/strong>. If you develop Graph API applications that modify these properties, we strongly recommend updating your applications to request the necessary higher-level permissions as soon as possible. This proactive approach will help ensure a smooth transition and minimize potential disruptions for your customers.<\/p>\n

The Exchange Team<\/p>\n

\"microsoft<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

On 12\/31\/2026, we will begin restricting updates to sensitive properties on non-draft email messages (including subject, body, and recipients). Apps will need Mail-Advanced.ReadWrite (or .All \/ .Shared) with admin consent to continue modifying these fields. Review your current usage and update permissions now to avoid unexpected failures.<\/p>\n","protected":false},"author":186837,"featured_media":25483,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1,3],"tags":[69,146,12,109,432],"class_list":["post-25479","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-365-developer","category-microsoft-graph","tag-exchange","tag-microsoft-graph-api","tag-outlook","tag-rest-api","tag-sensitive-email-properties"],"acf":[],"blog_post_summary":"

On 12\/31\/2026, we will begin restricting updates to sensitive properties on non-draft email messages (including subject, body, and recipients). Apps will need Mail-Advanced.ReadWrite (or .All \/ .Shared) with admin consent to continue modifying these fields. Review your current usage and update permissions now to avoid unexpected failures.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/25479","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/users\/186837"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/comments?post=25479"}],"version-history":[{"count":2,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/25479\/revisions"}],"predecessor-version":[{"id":25485,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/25479\/revisions\/25485"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/media\/25483"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/media?parent=25479"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/categories?post=25479"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/tags?post=25479"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}