Reputation: 31
Error Access Denied on mailboxSettings for users
I'm trying to hit https://graph.microsoft.com/v1.0/users/{userId}/mailboxSettings endpoint with an auth token and in return receiving a 403 Error Access Denied response.
I have granted both application level and delegated permissions for MailboxSettings.Read, MailboxSettings.ReadWrite. I can verify that these permissions are enabled on the installed application via examination of my decoded auth token with the jwt.ms. Here is the exert from the decoded token:
"scp": "Directory.AccessAsUser.All Files.ReadWrite.All Group.ReadWrite.All Mail.Read Mail.ReadWrite Mail.Send MailboxSettings.Read MailboxSettings.ReadWrite Sites.ReadWrite.All"
I have also verified that the user I am requesting mailboxSettings for has been granted access via Admin Consent.
I am able to return mailboxSettings if I hit the endpoint for either the admin userId or the https://graph.microsoft.com/v1.0/users/me/mailboxSettings endpoint. Any help would be much appreciated.
Upvotes: 3
Views: 3191
Answers (4)
Reputation: 1677
I had the same problem using app-level authentication. I added all the same privileges and it still didn't work. I then requested a new token and it all sprang into life.
I know its an old question but I think the answer to the OP is - after changing the API permissions in Entra you need to get a new token for it to take effect.
Upvotes: 0
Reputation: 31
As others have stated, delegated token only works for reading the mailboxSettings of the currently authenticated user. I had enabled mailboxSettings as an Application scope, yet I was getting the same error. The culprit of the issue was that I was using the Auth code grant for the token.
After switching to Client Credentials grant, I am successfully retrieving an Auth token that contains the mailboxSettings Application level scope, and am able to get 200 responses on endpoints for all users.
Upvotes: 0
Reputation: 33132
I believe the problem is that your token was generated using Delegated scopes. The Delegated flavor of MailboxSettings.Read and MailboxSettings.ReadWrite may only access the currently authenticated user’s mailbox.
In order to access other users, you need to use Application scopes. You can read more about how these scopes work (and how to select them) in this blog post: Application vs Delegated Scopes.
Upvotes: 1
Reputation: 2464
Quickly I tested with Microsoft Graph Explorer and it works for me. So i would request you to test the above API call with Graph Explorer and see if you can repro the issue or not.
Upvotes: 1
Related Questions
- Give mailbox permissions from graph api
- MS Graph API - access shared mailbox (application permission)
- Microsoft Graph sending email error "Access is denied"
- Microsoft Graph API Mail.Send Access Denied
- Access shared mailbox via Microsoft Graph - "Access denied"
- Microsoft Graph API return ErrorInvalidMailboxItemId error
- Cannot get MailboxSettings from Microsoft Graph with .Net SDK
- Access Denied [Failure - Status Code 403]
- Error Message: "Authorization_RequestDenied","Insufficient privileges to complete the operation
- Error access denied in microsoft graph api to read user messages