Share via

Is it possible to restrict Gmail connector BYOA scopes to gmail.readonly?

Logan Rosen 0 Reputation points
2026-04-05T23:29:24.11+00:00

I'm building a Logic App that monitors my Gmail inbox (read-only — no sending or deleting). I'm using the Gmail connector's "Bring your own application" (BYOA) mode so I can control permissions.

I created a Google Cloud OAuth app with only the gmail.readonly scope on the consent screen. However, when I authorize the connection, Google's consent page still asks for full access: "Read, compose, send, and permanently delete all your email from Gmail."

After investigating, it appears the managed API definition hardcodes https://mail.google.com/ as the scope for both the shared-application and byoa parameter sets:

GET /subscriptions/{sub}/providers/Microsoft.Web/locations/eastus/managedApis/gmail?api-version=2016-06-01

shared-application → scopes: ["https://mail.google.com/"]
byoa               → scopes: ["https://mail.google.com/"]

The connector docs say BYOA lets you "control permissions and enable certain limitations" and that you can "select an appropriate subset of the permission scopes," but the connector doesn't seem to use the scopes from the BYOA app.

Questions:

  1. Is there a way to make the Gmail connector request only gmail.readonly when using BYOA?
  2. If not, is this a known limitation or a bug? I filed https://github.com/Azure/logicapps/issues/1521 for tracking.
  3. As a workaround, would an Azure Function calling the Gmail API directly with gmail.readonly be the recommended approach for read-only Gmail access in Logic Apps?
Azure Logic Apps
Azure Logic Apps

An Azure service that automates the access and use of data across clouds without writing code.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Praveen Kumar Gudipudi 2,275 Reputation points Microsoft External Staff Moderator
    2026-04-06T07:29:17.2866667+00:00

    Hello Logan Rosen,

    No — currently you cannot restrict the Gmail Logic Apps connector (even with BYOA) to gmail.readonly. This is a known limitation of the managed connector, not a configuration issue on your side.

    Workaround:
    Use an Azure Functions service that directly calls the Gmail API with the gmail.readonly scope.

    Typical pattern:

    1. Logic App triggers on schedule or webhook.
    2. Logic App calls an HTTP endpoint (Azure Function).
    3. Azure Function:
      • Authenticates with Google using OAuth
        • Uses gmail.readonly
          • Calls Gmail API (users.messages.list, users.messages.get)
          1. Function returns message metadata/content to the Logic App.

    Benefits:

    • True least-privilege access
    • Full control over OAuth scopes
    • Avoids connector limitations
    • Works with restricted Gmail environments

    Alternative option

    If you only need new mail notifications, another pattern is:

    • Gmail → Pub/Sub push notifications
    • Pub/Sub → webhook
    • Webhook → Logic App

    Please accept as answer and do a Thumbs-up to upvote this response if you are satisfied with the community help. Your upvote will be beneficial for the community users facing similar issues.

     

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.