Skip to content
English
Sign in
  • There are no suggestions because the search field is empty.

Phishing: Microsoft Graph Authentication Error

The following issue occurs because Microsoft Conditional Access requires devices or sessions to be compliant before granting access to protected resources. When the Phishing Reporter add-in attempts to connect via Delegated Access (i.e., on behalf of a signed-in user), the organization’s Conditional Access policies may block the request if it does not originate from a compliant or trusted device.

This is common when:

  • The organization enforces device compliance via Intune or Azure AD.

  •  The user accessing the Phishing Reporter add-in is considered an external identity.
Screenshot reference of the error:
 

What Is Application-Level Access?

Application-level permissions allow the Phishing Reporter add-in to access Microsoft 365 mailboxes and perform phishing reporting tasks without requiring a signed-in user. The add-in authenticates using its own identity instead of a user’s.

When enabled, the Phishing Reporter add-in acts as a trusted service with organization-wide permissions granted by an administrator. This ensures that Phishing can operate under Conditional Access, perform automated operations, and maintain consistent behavior even when users are not logged in.
  

Why Application-Level Access Is Required

If your organization enforces Conditional Access, device compliance, or automated identity checks, Delegated Access will fail because it depends on the user’s compliance state.

Application-Level Access ensures:

  •  Uninterrupted operation of the Phishing Reporter add-in across all mailboxes.
  • Centralized and consistent access across departments and tenants.

  • Secure authentication compatible with Conditional Access requirements.

When to Use Application-Level Access

Use Application-Level Access if:

  • You require organization-wide authentication for all users.
  • Conditional Access or advanced identity enforcement is active.
  • Consistency across departments/regions is needed.

Security Notes

  • Admin Consent Required: Only global administrators can grant Application-Level permissions.
  • Least Privilege Principle: Assign only the permissions needed for the Phishing Reporter add-in to operate.

  • Governance: Regularly audit app-only permissions to ensure compliance.

 Recommendation

Use Application-Level Access for:

  • Reliable, organization-wide authentication and identity mapping.

  • Compatibility with Conditional Access and advanced identity controls.

Keep Delegated Access for:

  •  End-user actions like phishing report submission from the Outlook ribbon.