using microsoft graph api to read mail behalf of users in the enterprise
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I am trying to get the messages inside the mailbox of users in the enterprise via the admin account.
In my app I have the following permissions:
I used the https://login.microsoftonline.com/common/adminconsent?... to grant the application permissions to read mail in all mailboxes and after that, I used the OAuth2 authentication to get a Bearer token.
This is the response I got from the token endpoint:
{
"token_type": "Bearer",
"scope": "Mail.Read User.Read User.Read.All profile openid email",
"access_token": "<token>",
"expires_in": 3599,
"ext_expires_in": 3599
}
When I used this to access a mailbox via https://graph.microsoft.com/v1.0/users/USER-ID/messages, I got the following response
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "a31bcf73-4bd6-4fed-bfee-d70328e0703e",
"date": "2018-11-26T15:20:37"
}
}
}
However, when I use this endpoint with the User ID of the authenticated admin account, I am able to access the messages in that mailbox.
But I would like to access the mailboxes of all users in the organization via Microsoft Graph.
microsoft-graph outlook-restapi
edited Nov 26 '18 at 22:23
Marc LaFleur
20.2k32034
asked Nov 26 '18 at 15:36
Aviv Bar-ElAviv Bar-El
82
add a comment |
I am trying to get the messages inside the mailbox of users in the enterprise via the admin account.
In my app I have the following permissions:
I used the https://login.microsoftonline.com/common/adminconsent?... to grant the application permissions to read mail in all mailboxes and after that, I used the OAuth2 authentication to get a Bearer token.
This is the response I got from the token endpoint:
{
"token_type": "Bearer",
"scope": "Mail.Read User.Read User.Read.All profile openid email",
"access_token": "<token>",
"expires_in": 3599,
"ext_expires_in": 3599
}
When I used this to access a mailbox via https://graph.microsoft.com/v1.0/users/USER-ID/messages, I got the following response
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "a31bcf73-4bd6-4fed-bfee-d70328e0703e",
"date": "2018-11-26T15:20:37"
}
}
}
However, when I use this endpoint with the User ID of the authenticated admin account, I am able to access the messages in that mailbox.
But I would like to access the mailboxes of all users in the organization via Microsoft Graph.
microsoft-graph outlook-restapi
edited Nov 26 '18 at 22:23
Marc LaFleur
20.2k32034
asked Nov 26 '18 at 15:36
Aviv Bar-ElAviv Bar-El
82
add a comment |
I am trying to get the messages inside the mailbox of users in the enterprise via the admin account.
In my app I have the following permissions:
I used the https://login.microsoftonline.com/common/adminconsent?... to grant the application permissions to read mail in all mailboxes and after that, I used the OAuth2 authentication to get a Bearer token.
This is the response I got from the token endpoint:
{
"token_type": "Bearer",
"scope": "Mail.Read User.Read User.Read.All profile openid email",
"access_token": "<token>",
"expires_in": 3599,
"ext_expires_in": 3599
}
When I used this to access a mailbox via https://graph.microsoft.com/v1.0/users/USER-ID/messages, I got the following response
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "a31bcf73-4bd6-4fed-bfee-d70328e0703e",
"date": "2018-11-26T15:20:37"
}
}
}
However, when I use this endpoint with the User ID of the authenticated admin account, I am able to access the messages in that mailbox.
But I would like to access the mailboxes of all users in the organization via Microsoft Graph.
microsoft-graph outlook-restapi
edited Nov 26 '18 at 22:23
Marc LaFleur
20.2k32034
asked Nov 26 '18 at 15:36
Aviv Bar-ElAviv Bar-El
82
I am trying to get the messages inside the mailbox of users in the enterprise via the admin account.
In my app I have the following permissions:
I used the https://login.microsoftonline.com/common/adminconsent?... to grant the application permissions to read mail in all mailboxes and after that, I used the OAuth2 authentication to get a Bearer token.
This is the response I got from the token endpoint:
{
"token_type": "Bearer",
"scope": "Mail.Read User.Read User.Read.All profile openid email",
"access_token": "<token>",
"expires_in": 3599,
"ext_expires_in": 3599
}
When I used this to access a mailbox via https://graph.microsoft.com/v1.0/users/USER-ID/messages, I got the following response
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "a31bcf73-4bd6-4fed-bfee-d70328e0703e",
"date": "2018-11-26T15:20:37"
}
}
}
However, when I use this endpoint with the User ID of the authenticated admin account, I am able to access the messages in that mailbox.
But I would like to access the mailboxes of all users in the organization via Microsoft Graph.
microsoft-graph outlook-restapi
microsoft-graph outlook-restapi
edited Nov 26 '18 at 22:23
Marc LaFleur
20.2k32034
asked Nov 26 '18 at 15:36
Aviv Bar-ElAviv Bar-El
82
edited Nov 26 '18 at 22:23
Marc LaFleur
20.2k32034
asked Nov 26 '18 at 15:36
Aviv Bar-ElAviv Bar-El
82
edited Nov 26 '18 at 22:23
Marc LaFleur
20.2k32034
edited Nov 26 '18 at 22:23
Marc LaFleur
20.2k32034
edited Nov 26 '18 at 22:23
Marc LaFleur
20.2k32034
20.2k32034
asked Nov 26 '18 at 15:36
Aviv Bar-ElAviv Bar-El
82
asked Nov 26 '18 at 15:36
Aviv Bar-ElAviv Bar-El
82
asked Nov 26 '18 at 15:36
Aviv Bar-ElAviv Bar-El
82
82
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
The Outlook endpoints operate a little differently than most of the Graph endpoints, rather than having a .all variation of their scopes (i.e. user.read vs user.read.all), it depends on which scope type (Delegated vs. Application) is being used.
When Delegated scopes are being used, Mail.Read only provides access to the authenticated user's mailbox (the only exception being those that have been explicitly shared with that user).
When Application scopes are being used, Mail.Read provides access to any user's mailbox.
Now, this is where things get a little wonky, the type of scope that gets applied is entirely dependant on the OAuth Grant used to obtain the token.
- When using Implicit or Authorization Code grants, Delegated scopes are applied.
- When using the Client Credentials grant, Application scopes are applied.
So in order for you to access any user's mailbox via /v1.0/users/{someUser}/messages, you first need to obtain your token using the Client Credentials OAuth grant. You can find a walkthrough on how this works in the documentation under "Get access without a user".
answered Nov 26 '18 at 22:19
Marc LaFleurMarc LaFleur
20.2k32034
Thank you that's solved it, one more issue I have missed when I made a call to the token I used the login.microsoftonline.com/common/oauth2/v2.0/token' URL while I should have use login.microsoftonline.com{tenant returned from admin consent}/oauth2/v2.0/token
– Aviv Bar-El
Nov 27 '18 at 12:44
That's correct. Since you're authenticating the app rather than an email address, it isn't possible for AAD to automatically discover which tenant it should authenticate against (a single app id can be authed by multiple tenants). You need to include the specific tenant id rather thancommon. One aside, it doesn't have to be the GUID, it can be the primary domain as well (/tenant.onmicrosoft.com/oauth2/v2.0/token).
– Marc LaFleur
Nov 27 '18 at 22:29
I am getting forbidden error, while getting a email using graph api, is Global admin access necassary for calling it? Also, what application permission and delegated permissions should be granted to app, if i am calling api from simple html page.
– Amay Kulkarni
Jan 22 at 14:49
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53484484%2fusing-microsoft-graph-api-to-read-mail-behalf-of-users-in-the-enterprise%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The Outlook endpoints operate a little differently than most of the Graph endpoints, rather than having a .all variation of their scopes (i.e. user.read vs user.read.all), it depends on which scope type (Delegated vs. Application) is being used.
When Delegated scopes are being used, Mail.Read only provides access to the authenticated user's mailbox (the only exception being those that have been explicitly shared with that user).
When Application scopes are being used, Mail.Read provides access to any user's mailbox.
Now, this is where things get a little wonky, the type of scope that gets applied is entirely dependant on the OAuth Grant used to obtain the token.
- When using Implicit or Authorization Code grants, Delegated scopes are applied.
- When using the Client Credentials grant, Application scopes are applied.
So in order for you to access any user's mailbox via /v1.0/users/{someUser}/messages, you first need to obtain your token using the Client Credentials OAuth grant. You can find a walkthrough on how this works in the documentation under "Get access without a user".
answered Nov 26 '18 at 22:19
Marc LaFleurMarc LaFleur
20.2k32034
Thank you that's solved it, one more issue I have missed when I made a call to the token I used the login.microsoftonline.com/common/oauth2/v2.0/token' URL while I should have use login.microsoftonline.com{tenant returned from admin consent}/oauth2/v2.0/token
– Aviv Bar-El
Nov 27 '18 at 12:44
That's correct. Since you're authenticating the app rather than an email address, it isn't possible for AAD to automatically discover which tenant it should authenticate against (a single app id can be authed by multiple tenants). You need to include the specific tenant id rather thancommon. One aside, it doesn't have to be the GUID, it can be the primary domain as well (/tenant.onmicrosoft.com/oauth2/v2.0/token).
– Marc LaFleur
Nov 27 '18 at 22:29
I am getting forbidden error, while getting a email using graph api, is Global admin access necassary for calling it? Also, what application permission and delegated permissions should be granted to app, if i am calling api from simple html page.
– Amay Kulkarni
Jan 22 at 14:49
add a comment |
The Outlook endpoints operate a little differently than most of the Graph endpoints, rather than having a .all variation of their scopes (i.e. user.read vs user.read.all), it depends on which scope type (Delegated vs. Application) is being used.
When Delegated scopes are being used, Mail.Read only provides access to the authenticated user's mailbox (the only exception being those that have been explicitly shared with that user).
When Application scopes are being used, Mail.Read provides access to any user's mailbox.
Now, this is where things get a little wonky, the type of scope that gets applied is entirely dependant on the OAuth Grant used to obtain the token.
- When using Implicit or Authorization Code grants, Delegated scopes are applied.
- When using the Client Credentials grant, Application scopes are applied.
So in order for you to access any user's mailbox via /v1.0/users/{someUser}/messages, you first need to obtain your token using the Client Credentials OAuth grant. You can find a walkthrough on how this works in the documentation under "Get access without a user".
answered Nov 26 '18 at 22:19
Marc LaFleurMarc LaFleur
20.2k32034
Thank you that's solved it, one more issue I have missed when I made a call to the token I used the login.microsoftonline.com/common/oauth2/v2.0/token' URL while I should have use login.microsoftonline.com{tenant returned from admin consent}/oauth2/v2.0/token
– Aviv Bar-El
Nov 27 '18 at 12:44
That's correct. Since you're authenticating the app rather than an email address, it isn't possible for AAD to automatically discover which tenant it should authenticate against (a single app id can be authed by multiple tenants). You need to include the specific tenant id rather thancommon. One aside, it doesn't have to be the GUID, it can be the primary domain as well (/tenant.onmicrosoft.com/oauth2/v2.0/token).
– Marc LaFleur
Nov 27 '18 at 22:29
I am getting forbidden error, while getting a email using graph api, is Global admin access necassary for calling it? Also, what application permission and delegated permissions should be granted to app, if i am calling api from simple html page.
– Amay Kulkarni
Jan 22 at 14:49
add a comment |
The Outlook endpoints operate a little differently than most of the Graph endpoints, rather than having a .all variation of their scopes (i.e. user.read vs user.read.all), it depends on which scope type (Delegated vs. Application) is being used.
When Delegated scopes are being used, Mail.Read only provides access to the authenticated user's mailbox (the only exception being those that have been explicitly shared with that user).
When Application scopes are being used, Mail.Read provides access to any user's mailbox.
Now, this is where things get a little wonky, the type of scope that gets applied is entirely dependant on the OAuth Grant used to obtain the token.
- When using Implicit or Authorization Code grants, Delegated scopes are applied.
- When using the Client Credentials grant, Application scopes are applied.
So in order for you to access any user's mailbox via /v1.0/users/{someUser}/messages, you first need to obtain your token using the Client Credentials OAuth grant. You can find a walkthrough on how this works in the documentation under "Get access without a user".
answered Nov 26 '18 at 22:19
Marc LaFleurMarc LaFleur
20.2k32034
The Outlook endpoints operate a little differently than most of the Graph endpoints, rather than having a .all variation of their scopes (i.e. user.read vs user.read.all), it depends on which scope type (Delegated vs. Application) is being used.
When Delegated scopes are being used, Mail.Read only provides access to the authenticated user's mailbox (the only exception being those that have been explicitly shared with that user).
When Application scopes are being used, Mail.Read provides access to any user's mailbox.
Now, this is where things get a little wonky, the type of scope that gets applied is entirely dependant on the OAuth Grant used to obtain the token.
- When using Implicit or Authorization Code grants, Delegated scopes are applied.
- When using the Client Credentials grant, Application scopes are applied.
So in order for you to access any user's mailbox via /v1.0/users/{someUser}/messages, you first need to obtain your token using the Client Credentials OAuth grant. You can find a walkthrough on how this works in the documentation under "Get access without a user".
answered Nov 26 '18 at 22:19
Marc LaFleurMarc LaFleur
20.2k32034
answered Nov 26 '18 at 22:19
Marc LaFleurMarc LaFleur
20.2k32034
answered Nov 26 '18 at 22:19
Marc LaFleurMarc LaFleur
20.2k32034
answered Nov 26 '18 at 22:19
Marc LaFleurMarc LaFleur
20.2k32034
20.2k32034
Thank you that's solved it, one more issue I have missed when I made a call to the token I used the login.microsoftonline.com/common/oauth2/v2.0/token' URL while I should have use login.microsoftonline.com{tenant returned from admin consent}/oauth2/v2.0/token
– Aviv Bar-El
Nov 27 '18 at 12:44
That's correct. Since you're authenticating the app rather than an email address, it isn't possible for AAD to automatically discover which tenant it should authenticate against (a single app id can be authed by multiple tenants). You need to include the specific tenant id rather thancommon. One aside, it doesn't have to be the GUID, it can be the primary domain as well (/tenant.onmicrosoft.com/oauth2/v2.0/token).
– Marc LaFleur
Nov 27 '18 at 22:29
I am getting forbidden error, while getting a email using graph api, is Global admin access necassary for calling it? Also, what application permission and delegated permissions should be granted to app, if i am calling api from simple html page.
– Amay Kulkarni
Jan 22 at 14:49
add a comment |
Thank you that's solved it, one more issue I have missed when I made a call to the token I used the login.microsoftonline.com/common/oauth2/v2.0/token' URL while I should have use login.microsoftonline.com{tenant returned from admin consent}/oauth2/v2.0/token
– Aviv Bar-El
Nov 27 '18 at 12:44
That's correct. Since you're authenticating the app rather than an email address, it isn't possible for AAD to automatically discover which tenant it should authenticate against (a single app id can be authed by multiple tenants). You need to include the specific tenant id rather thancommon. One aside, it doesn't have to be the GUID, it can be the primary domain as well (/tenant.onmicrosoft.com/oauth2/v2.0/token).
– Marc LaFleur
Nov 27 '18 at 22:29
I am getting forbidden error, while getting a email using graph api, is Global admin access necassary for calling it? Also, what application permission and delegated permissions should be granted to app, if i am calling api from simple html page.
– Amay Kulkarni
Jan 22 at 14:49
Thank you that's solved it, one more issue I have missed when I made a call to the token I used the login.microsoftonline.com/common/oauth2/v2.0/token' URL while I should have use login.microsoftonline.com{tenant returned from admin consent}/oauth2/v2.0/token
– Aviv Bar-El
Nov 27 '18 at 12:44
Thank you that's solved it, one more issue I have missed when I made a call to the token I used the login.microsoftonline.com/common/oauth2/v2.0/token' URL while I should have use login.microsoftonline.com{tenant returned from admin consent}/oauth2/v2.0/token
– Aviv Bar-El
Nov 27 '18 at 12:44
That's correct. Since you're authenticating the app rather than an email address, it isn't possible for AAD to automatically discover which tenant it should authenticate against (a single app id can be authed by multiple tenants). You need to include the specific tenant id rather than
common. One aside, it doesn't have to be the GUID, it can be the primary domain as well (/tenant.onmicrosoft.com/oauth2/v2.0/token).– Marc LaFleur
Nov 27 '18 at 22:29
That's correct. Since you're authenticating the app rather than an email address, it isn't possible for AAD to automatically discover which tenant it should authenticate against (a single app id can be authed by multiple tenants). You need to include the specific tenant id rather than
common. One aside, it doesn't have to be the GUID, it can be the primary domain as well (/tenant.onmicrosoft.com/oauth2/v2.0/token).– Marc LaFleur
Nov 27 '18 at 22:29
I am getting forbidden error, while getting a email using graph api, is Global admin access necassary for calling it? Also, what application permission and delegated permissions should be granted to app, if i am calling api from simple html page.
– Amay Kulkarni
Jan 22 at 14:49
I am getting forbidden error, while getting a email using graph api, is Global admin access necassary for calling it? Also, what application permission and delegated permissions should be granted to app, if i am calling api from simple html page.
– Amay Kulkarni
Jan 22 at 14:49
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53484484%2fusing-microsoft-graph-api-to-read-mail-behalf-of-users-in-the-enterprise%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
