Problem with api call to graph api

Question

Problem with api call to graph api

Einat Gelbort 5

Hey! I’m using an Axios call to get messages from a specific channel.
I’m using this URL:

  const url = `https://graph.microsoft.com/v1.0/teams/${groupId}/channels/${channelId}/messages?$top=${amount}`;

When I run it in production, I get a 403.
In the response headers, I can see that the request reached to the following data center:

'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"West US 2","Slice":"E","Ring":"4","ScaleUnit":"002","RoleInstance":"MWH0EPF000BC273"}}',

In my local environment it reached to different data center:
'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"Israel Central","Slice":"E","Ring":"2","ScaleUnit":"000","RoleInstance":"TL1PEPF0000059C"}}',
and it does work

It works locally, but not in production.

What could be causing this, and how can I solve it?

Also, when I add an httpsAgent to the Axios call in production to force routing to the Israel Central datacenter, it works.

response = await axios.get(url, {
      headers: {
        Authorization: `Bearer ${token}`,
        Accept: 'application/json',
      },
      httpsAgent: new https.Agent({
        lookup: (_hostname, _options, cb) => {
          cb(null, [{ address: '20.231.132.33', family: 4 }]);
        },
      }),
    });

Thank you!

Pravallika KV 16,860 Reputation points Microsoft External Staff Moderator

2026-02-02T09:44:49.9233333+00:00
Hi @Einat Gelbort ,

Thanks for reaching out to Microsoft Q&A.

The 403 Forbidden error you are facing typically indicates that there's an authorization issue.

Here are some possible causes and solutions you can try:

Authorization Issues: Ensure that the token you are using has the appropriate permissions to access messages in that channel. Check if the app registration in Azure AD has permissions such as ChannelMessage.Read.All or similar, and that it has been granted admin consent.

IP Restriction Policies: It’s possible that there are IP filtering policies in place at the API level that are blocking requests from certain regions. You can check this by looking at the APIM inspector trace to see if there are any ip-filter policies that may be restricting access based on the data center.

Rate Limiting: Sometimes, if there are too many concurrent requests or if the request rate exceeds the allowed limit, a 403 Forbidden response may be received. You could investigate if there are any rate-limiting policies applied to the API.

Data Center Restrictions: As you noted that routing through the Israel Central data center resolves the issue, there might be specific restrictions or configurations in the production environment that need to be adjusted. If your application is designed to connect to the Israel Central data center, ensure that it's configured properly for production.

Suggested Steps:

Double-check your Azure AD application permissions.

Inspect the APIM policies and logs to see if there are restrictions at play.

Use the API Management inspector to analyze what is happening with your request.

You may want to consider reaching out to Azure Support for further assistance if the issue persists.

Hope this helps!
Einat Gelbort 5 Reputation points

2026-02-02T10:51:03.31+00:00

It’s important to emphasize that I tried to do this using the same token.
I obtained the token using the API call to https://login.microsoftonline.com/${teams.appTenantId}/oauth2/v2.0/token.

Additionally, whether I generated the token locally or in production, I still received a 403 error in production, as I mentioned earlier when I tried to read the messages.

Can you look into this specific app to tell me what is the problem ?
Because I cant find it.
Permissions issue cant explain this
Pravallika KV 16,860 Reputation points Microsoft External Staff Moderator

2026-02-02T15:57:49.2433333+00:00

@Einat Gelbort , I’ll check this and update you accordingly.
Einat Gelbort 5 Reputation points

2026-02-04T13:01:33.9866667+00:00

Im still waiting to a response.
I upgraded my support plan to Standard,
Please help me via the phone. I'm waiting

1 answer

Your answer

Pravallika KV 16,860 Reputation points Microsoft External Staff Moderator

2026-02-02T09:44:49.9233333+00:00

Hi @Einat Gelbort ,

Thanks for reaching out to Microsoft Q&A.

The 403 Forbidden error you are facing typically indicates that there's an authorization issue.

Here are some possible causes and solutions you can try:

Authorization Issues: Ensure that the token you are using has the appropriate permissions to access messages in that channel. Check if the app registration in Azure AD has permissions such as ChannelMessage.Read.All or similar, and that it has been granted admin consent.

IP Restriction Policies: It’s possible that there are IP filtering policies in place at the API level that are blocking requests from certain regions. You can check this by looking at the APIM inspector trace to see if there are any ip-filter policies that may be restricting access based on the data center.

Rate Limiting: Sometimes, if there are too many concurrent requests or if the request rate exceeds the allowed limit, a 403 Forbidden response may be received. You could investigate if there are any rate-limiting policies applied to the API.

Data Center Restrictions: As you noted that routing through the Israel Central data center resolves the issue, there might be specific restrictions or configurations in the production environment that need to be adjusted. If your application is designed to connect to the Israel Central data center, ensure that it's configured properly for production.

Suggested Steps:

Double-check your Azure AD application permissions.

Inspect the APIM policies and logs to see if there are restrictions at play.

Use the API Management inspector to analyze what is happening with your request.

You may want to consider reaching out to Azure Support for further assistance if the issue persists.

Hope this helps!
Einat Gelbort 5 Reputation points

2026-02-02T10:51:03.31+00:00

It’s important to emphasize that I tried to do this using the same token.
I obtained the token using the API call to https://login.microsoftonline.com/${teams.appTenantId}/oauth2/v2.0/token.

Additionally, whether I generated the token locally or in production, I still received a 403 error in production, as I mentioned earlier when I tried to read the messages.

Can you look into this specific app to tell me what is the problem ?
Because I cant find it.
Permissions issue cant explain this
Pravallika KV 16,860 Reputation points Microsoft External Staff Moderator

2026-02-02T15:57:49.2433333+00:00

@Einat Gelbort , I’ll check this and update you accordingly.
Einat Gelbort 5 Reputation points

2026-02-04T13:01:33.9866667+00:00

Im still waiting to a response.
I upgraded my support plan to Standard,
Please help me via the phone. I'm waiting

Answer 1

Hello Einat Gelbort,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are having problem with api call to graph api.

Your production network is certainly enforcing Tenant Restrictions v2 / Universal Tenant Restrictions (or an equivalent proxy header), which blocks Graph data‑plane calls from that network, causing 403, while the same token works off‑network. Forcing traffic to a specific IP inadvertently bypassed the enforcement point, which is unsupported.

Follow the steps below in order to fix the issue:

Verify token and permissions confirm the token matches the API: delegated needs ChannelMessage.Read.All; app‑only needs ChannelMessage.Read.Group or ChannelMessage.Read.All, and app‑only calls must be made in the channel owner’s tenant. Quick check: curl -H "Authorization: Bearer $TOKEN" "https://graph.microsoft.com/v1.0/teams/{team-id}/channels/{channel-id}/messages?$top=20". See List channel messages and Resolve Graph auth errors.
Align consent model Ensure the granted permission type matches the token type (delegated vs application) and that admin consent is applied where required. If you use RSC, install the app in the team and use ChannelMessage.Read.Group. See API permissions for channel messages.
Check for Tenant Restrictions enforcement From the production egress, verify whether Tenant Restrictions v2 or Universal Tenant Restrictions (Global Secure Access) are applied; these can block Graph data‑plane calls and yield 403 even with a valid token. Look for the TRv2 header (e.g., sec-Restrict-Tenant-Access-Policy). See Tenant restrictions v2 and Universal tenant restrictions.
Fix the policy (preferred) or isolate the workload In TRv2, allow your tenant/app (or the specific user group) so the Graph call is permitted from production; or exclude the service/principal or egress segment from Universal TR enforcement. Admins configure this in Cross‑tenant access settings and Global Secure Access. See Tenant restrictions v2 and Universal tenant restrictions.
Remove IP pinning; use supported network controls Drop hardcoded IPs and rely on the Microsoft 365 endpoints service (Optimize/Allow) and supported service tags instead of static addresses; this is the recommended, durable approach for Graph connectivity. See Microsoft 365 URLs & IP ranges and Managing Microsoft 365 endpoints.
Re‑test and keep Graph identifiers Re‑run the same request without IP pinning; it should now return 200. If anything fails, capture request-id and UTC Date from response headers for escalation, per Microsoft’s troubleshooting practice. See Resolve Graph authorization errors.

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Share via

Problem with api call to graph api

1 answer

Your answer