CODEWITHSUNDEEP
c#microsoft-graph-apimicrosoft-graph-sdksmicrosoft-graph-mail
NLErik
NLErik

Reputation: 45

Cannot read full user profiles MS Graph while having the needed scopes

I am using the GraphServiceClient in my code to access multiple endpoints for data. I have a service account who logs in with Azure AD, with the following scopes: Group.Read.All, User.Read.All, Mail.Read.

However, with these needed scopes I cannot get the MailFolders for a users profile or a birthdate from the user. It gives the following error: 

ServiceException: Code: -2147024891, System.UnauthorizedAccessException.

The delegated permissions in Azure AD have already granted by admin (https://i.sstatic.net/Wnoel.jpg).

Example MailFolders:

var result = await client
  .Users[user.Id]
  .MailFolders
  .Request()
  .GetAsync();

This is the error that came back: 

ServiceException: 
   Code: ErrorAccessDenied
   Message: Access is denied. Check credentials and try again.

Can I not access other users profiles or am I missing something else?

Upvotes: 2

Views: 306

Answers (2)

Jason Johnston
Jason Johnston

Reputation: 17702

If you have Mail.Read as a delegated permission (meaning you've logged in with a user), then you can only read your own mail, even if someone has given you permissions to their mailbox. In order to read other mailboxes, you need to request the Mail.Read.Shared permission.

If you have Mail.Read as an application permission (meaning no logged in user to your app, using the client credentials flow), then you can read all mailboxes in your org.

Upvotes: 1

Marek Kyzivát
Marek Kyzivát

Reputation: 343

I believe that the question is already answered here. Even when you app has admin consent to do something it does not override the Exchange delegate permission if you know what I mean.

You would need that specific user's token or try to access it as a user who is delegated in Exchange online.

Upvotes: 0

Related Questions