We’re implementing a significant update in our service affecting applications that modify sensitive email properties on non-draft email messages. These sensitive email properties include the subject, body, recipients, and a number of other properties when changed using any of the message update methods on Graph API.

Immutability of received email messages

There’s a fundamental expectation that once you receive an email message, it should remain unchanged except for specific management-related properties such as read status, flags, and similar attributes. Critical components like the address list, subject, and body text shouldn’t be altered unless a new draft message is created. Exceptions to this rule are specialized use-cases, particularly within the security domain, such as identifying suspicious emails and other privileged operations.

Required permissions for modifying sensitive email properties

To maintain the expected immutability of email messages during standard management operations, we will begin restricting applications from modifying sensitive email properties in non-draft messages unless they possess elevated permissions. Specifically, applications must have one of the following permissions: Mail-Advanced.ReadWrite, Mail–Advanced.ReadWrite.All, or Mail-Advanced.ReadWrite.Shared, depending on the scenario. All these permissions require a tenant administrator consent.

The Update message documentation identifies sensitive properties as those that are only updateable if isDraft = true. Once the restriction goes into effect, you can only update these properties in non-draft messages if the application has Mail-Advanced.ReadWrite permissions. Draft messages will continue to be updateable with the current Mail.ReadWrite permissions.

Timeline and recommendations

These required permissions are already available. Enforcement of the new restrictions in our service – blocking Graph API updates to sensitive email properties – will begin on 12/31/2026. If you develop Graph API applications that modify these properties, we strongly recommend updating your applications to request the necessary higher-level permissions as soon as possible. This proactive approach will help ensure a smooth transition and minimize potential disruptions for your customers.

The Exchange Team