Status Code: Forbidden when attempting to create a subscription to mail events

Question

I'm attempting to use the /subscriptions endpoint of Microsoft Graph but I'm getting the following response:

stdClass Object
(
    [error] => stdClass Object
        (
            [code] => ExtensionError
            [message] => Operation: Create; Exception: [Status Code: Forbidden; Reason: Forbidden]
            [innerError] => stdClass Object
                (
                    [request-id] => 15acd5eb-46db-408e-8c6b-3bb779d63940
                    [date] => 2017-09-29T17:44:45
                )   
        )
)

In the Microsoft Application Registration Portal, I have Application Permissions Mail.Read and User.Read.All granted to my application.

I'm following this documentation.

Immediately prior to the call to /subscriptions I'm successfully retrieving an access token and using it to retrieve user information from the /users endpoint.

I'm using PHP curl to make these requests:

$url = "https://graph.microsoft.com/v1.0/subscriptions/";

$headers = array();
$headers[] = 'Authorization: Bearer '.$token;
$headers[] = 'Content-Type: application/json';

$postData = array (
         "changeType" => "created,updated",
         "notificationUrl" => "https://example.com/subscriptionListener.php",
         "resource" => "users/GUID-of-a-user/mailFolders('Inbox')/messages",
         "expirationDateTime" => "2017-10-01T18:23:45.9356913Z",
         "clientState" => "12345"
        );

$postJSON = json_encode($postData);

$ch = curl_init();

curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_POST,count($postData));
curl_setopt($ch,CURLOPT_POSTFIELDS,$postJSON);
curl_setopt($ch,CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch,CURLOPT_RETURNTRANSFER, true);


$result = curl_exec($ch);
echo "<pre>", print_r(json_decode($result), 1), "</pre>";

My confirmation endpoint (subscriptionListener.php) is being called with a validation token, but if I send an email to the account I subscribed to I'm not getting the notification.

UPDATE: I pasted my token into a token debugger and found that my token shows a role of:

  "roles": [
    "User.Read.All"
  ],

The subscription endpoint requires Mail.Read, which according to the Microsoft Application Portal my app has:

So it looks like my application permissions aren't being reflected in my token.

Any assistance greatly appreciated!!

Answer 1

Finally figured this out... I had failed to provide "admin consent" for the new Mail.Read permissions.

I found the answer here, in the section titled 'Admin Consent.' You just type in the url as indicated, then after you sign in click 'Accept'. Note that the redirect_uri parameter doesn't have to work - if it doesn't, then when you click 'Accept' you'll get an error message, but the Admin Consent will still have been granted.