Azure Active Directory App - Unable to access MS Graph Mail

Question

I am currently trying to integrate a SharePoint site with the Microsoft Graph in order to display information on a home page to users, including Outlook Mail, Calendar and Task information from the Graph API. This is by using the ADAL JS library (core JS version, not the Angular JS one).

When attempting to retrieve a user's calendar, task, user and group information, the request completes successfully. However, when attempting to retrieve a user's mail messages (using the /me/messages) endpoint, the request returns a 403 error with the following message:

"{
  "error": {
    "code": "ErrorAccessDenied",
    "message": "Access is denied. Check credentials and try again.",
    "innerError": {
      "request-id": "GUID",
      "date": "2016-10-26T07:14:50"
    }
  }
}"

This led me to check the JSON Web Token returned, and I noticed that the despite the Azure AD app having the correct delegated permission to read a user's mail, the requested scopes appeared to be incorrect:

  "scp": "Calendars.Read Contacts.Read Directory.Read.All email profile Tasks.Read User.Read",

As you can see, instead of having Mail.Read, it has "email" (and profile).

I can't seem to find anywhere to specify, change or update the scope included in the web token. Any changes to the apps required permissions appears to do nothing to the scope string.

Any help would be greatly appreciated.

Many thanks, Jason

Answer 1

email scope only grants you access to the users primary email address. To get access to messages their inbox you need Mail.Read. To get this scope you need to update the app registration on the Azure portal and request "Read user mail".