Reputation: 41
Cannot access Microsoft Graph List Messages API
I try to get my user's mail information using List messages API(https://learn.microsoft.com/en-us/graph/api/user-list-messages?view=graph-rest-1.0&tabs=http).
I am following the instructions described at https://learn.microsoft.com/en-us/graph/auth-v2-service.
I registered my application, configured "Application Permissions" to able to use List Messages, got administrator consent using
// Line breaks are for legibility only.
GET https://login.microsoftonline.com/{MY_TENANT_NAME}/adminconsent
?client_id=MY_APP_CLIENT_ID
&state=12345
&redirect_uri=https://localhost/myapp/permissions
And giving my credentials I could get admin_consent=True url. And then I could get an access token using
// Line breaks are for legibility only.
POST https://login.microsoftonline.com/{MY_TENANT_NAME}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=MY_APP_CLIENT_ID
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret=MY_APP_SECRET_KEY
&grant_type=client_credentials
I have a valid access token. I can see my users calling https://graph.microsoft.com/v1.0/users.
However when I call https://graph.microsoft.com/v1.0/users/{MY_USER_ID}/messages, I got an error message.
{
"error": {
"code": "OrganizationFromTenantGuidNotFound",
"message": "The tenant for tenant guid '2a862810-93dc-4096-a6b0-dda413670497' does not exist.",
"innerError": {
"request-id": "ba60c495-742b-4655-be74-fe8802427756",
"date": "2020-04-11T19:20:32"
}
}
}
Interestingly when I use https://developer.microsoft.com/en-us/graph/graph-explorer, I can get my user's email. I have checked the queries but it does not seem any difference. The only difference that I saw, when investigating AAD --> Enterprise Applications --> Permissions, I can see user consent permissions in Graph Explorer application, but not in my application.
Upvotes: 0
Views: 345
Answers (3)
Reputation: 2138
How many active directory environments are there in this tenant?Are you sure you are creating the Azure AD app in the correct tenant?
I believe you maybe using the wrong tenant id. The user id exists in that tenant, but the mailbox does not.
In aad.portal.azure.com/#blade/Microsoft_AAD_IAM/… there is the tenant id property which you should use in the oauth url - login.microsoftonline.com/${tenantId}
Double check you are using the correct one.
Upvotes: 0
Reputation: 9
Are you using correct app id as in your ad app there are three type of ID's: Application ID, Object ID and Directory ID. Here you have to use Application ID.
You can also verify the AppID in your access token
Upvotes: 0
Reputation: 657
Strange that it complains over your tenantID. However, under AAD Registered apps,
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps
check if you have Mail.Read* permission set.
Upvotes: 0
Related Questions
- Microsoft Graph API Mail.Send Access Denied
- Access shared mailbox via Microsoft Graph - "Access denied"
- Can list messages but cant create subscription
- Microsoft Graph API - cannot access individual message (exception)
- Not able to get mails from Microsoft Graph API
- Error Message: "Authorization_RequestDenied","Insufficient privileges to complete the operation
- Microsoft Graph API not able to use mail.read
- Error access denied in microsoft graph api to read user messages
- Microsoft Graph API .NET not able to read shared mail
- Azure AD with MS Graph API, can't grant my app Mail.Read