Mail.ReadBasic.All can't create message subscriptions

Question

I want to create user-specific subscriptions to messages using an Application (with Application permissions). I don't want to read the message's body so using the Mail.ReadBasic scope looks like the solution, but it doesn't work for Application permission, so I'm using "Mail.ReadBasic.All"

First, what I've found:

• https://learn.microsoft.com/en-us/answers/questions/44099/difference-between-mailreadbasic-and-mailreadbasic.html There is a difference between Mail.ReadBasic and Mail.ReadBasic.All. The second one should be used for Application permission. Ok.
• In the changelog, we have this (https://developer.microsoft.com/en-us/graph/changelog/?filterBy=&search=%20Mail.ReadBasic.All)

And now, what I have:

I have an app installed like this:

And when I try to create a new subscription for a user using the API (and Python) I get this error:

    payload = {  
        "changeType": "created,updated,deleted",  
        "notificationUrl": "https://<url>",  
        "resource": "/users/<user id>/messages",  
        "expirationDateTime": "2022-03-11T10:52:38Z",  
        "clientState": "testClientState",  
    }  
  
    graph_data = requests.post(  
        "https://graph.microsoft.com/beta/subscriptions/",  
        headers={  
            "Authorization": "Bearer " + access_token,  
            "Content-Type": "application/json",  
        },  
        json=payload,  
    )  


Graph API call result:   
{  
  "error": {  
    "code": "ExtensionError",  
    "message": "Operation: Create; Exception: [Status Code: Forbidden; Reason: Access is denied. Check credentials and try again.]",  
    "innerError": {  
      "date": "2022-03-10T10:54:50",  
      "request-id": "0db50e06-1b87-432b-b6d9-b83120c3de08",  
      "client-request-id": "<hidden>"  
    }  
  }  
}  

Using the same credentials (Applications Credentials using App Secrets) I can get that user profile info and the inbox messages list / specific message without any problem.

Is there something I am doing wrong? Is this a bug in the API scopes?

Thanks

Answer 1

Hi @HacheJulio

This is an error caused by lack of permissions, use https://jwt.ms/ to parse your token, make sure you have the Mail.ReadBasic or Mail.ReadBasic.All application permission in your token.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Experiencing the same issues create-subscriptions-403-for-mailreadbasic-applica.html

With Mail.Read application permission subscriptions work, but with Mail.ReadBasic or Mail.ReadBasic.All (tried both even) it doesn't

Answer 3

did you add which permissions? application or delegate?

I am trying to do the same thing, but I ended up seeing below errors. for some reasons, I face MSA accounts error. please refer more info on - https://learn.microsoft.com/en-us/answers/questions/870631/change-notifications-giving-error-34subscription-v.html

Answer 4

After adding permissions on graph explorer, it is working. but still don't see a call back.

I could see the call back for the validation token. but not for the notification request.

Answer 5

Did u see below error?

Operation: Create; Exception: [Status Code: ServiceUnavailable; Reason: Target resource '00030000-d205-2a66-0000-000000000000' hosted on database '14adcc7b-33b0-418a-9cea-71ccf4592c21' is currently on backend 'Unknown']