/me requires a signed-in user (Delegated permissions) See here, therefore tokens acquired using client credential flow wont work with /me and all its extensions because it has only application permissions . To get /me to work you must acquire token on behalf of the user using /authorize - See here
sendMail graph api, /me endpoint returns 403 despite role assigned
Hello,
i have created an app registration and assigned the Mail.Send Aplication permission.
I acquire a token using the client credentials flow, the token correctly contains the Mail.Send (as any user) role.
When i call the sendmail api though, the /me endpoint responds with a 403, while the /users endpoint sends the email as expected.
How do i get the /me endpoint to work? I don't want to use the /users endpoint, the request should be executed as the service principal associated to the registration (object id).
-
Danstan Onyango 3,741 Reputation points Microsoft Employee
2021-03-22T17:01:22.973+00:00
2 additional answers
Sort by: Most helpful
-
Luca Borzani 21 Reputation points
2021-03-23T07:20:38.553+00:00 So there is no way to invoke the graph api using only client_id and client_secret, as both endpoints require a user?
-
Luca Borzani 21 Reputation points
2021-03-23T07:32:27.333+00:00 yes, i understand i can use the /users endpoint, but it requires a userPrincipal, i'd like to use the servicePrincipal that belongs to the app registration that has already all the permissions granted by an admin. I think there's no other way than creating a technical user so i can call the /users endpoint with a valid userId