Reputation: 23
Microsoft Graph API Mail.Send Access Denied
I have registered a application in Azure Active Directory as a Daemon authenticating with Client Secrets. I added Graph API Permissions and have granted administrator consent to get a sharepoint list and can successfully pull using the Graph API in c#. I have also granted admin consent to the Mail.Send Graph API but get a access denied. The call is setup correctly and the email address I am using as the From field is the administrators mailbox. IS there some additional configuration or miss configuration I am doing?
Call to Authenticate
var clientSecret = @"{My generated Secret in Azure}";
var clientId = @"{My Client Id}";
var tenantID = @"{My Tenant Id}";
IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
.Create(clientId)
.WithTenantId(tenantID)
.WithClientSecret(clientSecret)
.Build();
ClientCredentialProvider authenticationProvider = new ClientCredentialProvider(confidentialClientApplication);
return new GraphServiceClient(authenticationProvider);
My Calling Code to Send Email
System.IO.MemoryStream ms = new System.IO.MemoryStream();
System.IO.StreamWriter writer = new System.IO.StreamWriter(ms);
writer.Write(htmlDocument.Text);
writer.Flush();
writer.Dispose();
MessageAttachmentsCollectionPage attachments = new MessageAttachmentsCollectionPage();
attachments.Add(new FileAttachment
{
ODataType = "#microsoft.graph.fileAttachment",
ContentBytes = ms.ToArray(),
ContentType = "text/html",
ContentId = "testing",
Name = "My_Report.html"
});
var message = new Message
{
Subject = "My Report",
Body = new ItemBody
{
ContentType = BodyType.Text,
Content = "Here is your updated report from list"
},
ToRecipients = new List<Recipient>()
{
new Recipient
{
EmailAddress = new EmailAddress
{
Address = "{End User to receive report}"
}
}
},
CcRecipients = new List<Recipient>()
{
new Recipient
{
EmailAddress = new EmailAddress
{
Address = "{my admin email account}"
}
}
},
From = new Recipient {
EmailAddress = new EmailAddress
{
Address = "{my admin email account}"
}
},
Attachments = attachments
};
var graphServiceClient = GetGraphServiceClient();
await graphServiceClient.Me
.SendMail(message, null)
.Request()
.PostAsync();
Upvotes: 1
Views: 2662
Answers (1)
Reputation: 1065
You are using client credentials flow.
When authenticating as an application (as opposed to with a user), you can't use delegated permissions - scopes that are granted by a user. You must use application permissions, also known as roles, that are granted by an admin for the application or via pre-authorization by the web API.
So you should give the app application permissions and grant admin consent in the portal.
And modify the following code.
await graphClient.Users["your admin email account"]
.SendMail(message, null)
.Request()
.PostAsync();
Upvotes: 1
Related Questions
- Microsoft Graph API - Send Emails always return response code 403 with error text "Access is denied. Check credentials and try again."
- Microsoft Graph sending email error "Access is denied"
- Unable to send email via Microsoft Graph API with Delegated Permission
- Unable to Send email using microsoft Graph API using delegated permission with Username and Password provider
- Unable to send email using Microsoft.Graph
- Unable to send email via Microsoft Graph API (C# Console)
- Access shared mailbox via Microsoft Graph - "Access denied"
- Microsoft Graph API unable to Send Email C# Console
- Microsoft Graph API not able to use mail.read
- Office 365 API ErrorAccessDenied Access is denied when sending an email