sendMail graph api, /me endpoint returns 403 despite role assigned

Question

Hello,

i have created an app registration and assigned the Mail.Send Aplication permission.
I acquire a token using the client credentials flow, the token correctly contains the Mail.Send (as any user) role.

When i call the sendmail api though, the /me endpoint responds with a 403, while the /users endpoint sends the email as expected.

How do i get the /me endpoint to work? I don't want to use the /users endpoint, the request should be executed as the service principal associated to the registration (object id).

Answer 1

/me requires a signed-in user (Delegated permissions) See here, therefore tokens acquired using client credential flow wont work with /me and all its extensions because it has only application permissions . To get /me to work you must acquire token on behalf of the user using /authorize - See here

Answer 2

So there is no way to invoke the graph api using only client_id and client_secret, as both endpoints require a user?

Answer 3

yes, i understand i can use the /users endpoint, but it requires a userPrincipal, i'd like to use the servicePrincipal that belongs to the app registration that has already all the permissions granted by an admin. I think there's no other way than creating a technical user so i can call the /users endpoint with a valid userId