We are going to setup the Service Based Agent for the Email gateway testing with the O365 App-only authentication method. In the requirements the User.Read.All application permission is required (see the link above). This means that info about all users is available.
As we want to conduct test in the production environment this is a security issue and we would like to know what is the reason for this kind of permission as for the email gateway testing emails are received only in that particular mailbox used for testing. Concerning the proposed limitation of Cymulate to specific mailbox (https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access.) does not solve this issue as it is applicable to the mailbox as such, not to users.
Best answer by ShirazView original