Invoke-RestMethod : The remote server returned an error: (403) Forbidden

Bob Pants 211 Reputation points
2022-09-27T05:24:10.28+00:00

I am trying to get some mailbox related script working due to the basic auth disablement, and getting the titled error

This is the script I am calling (it's not the complete script, just testing access to the Azure app registration)

#Connect to GRAPH API  
$tokenBody = @{  
    Grant_Type    = "client_credentials"  
    Scope         = "https://graph.microsoft.com/.default"  
    Client_Id     = $clientId  
    Client_Secret = $clientSecret  
    }  
    $tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantID/oauth2/v2.0/token" -Method POST -Body $tokenBody  
      
    $headers = @{  
        "Authorization" = "Bearer $($tokenResponse.access_token)"  
        "Content-type"  = "application/json"  
    }  
      
    #Send Mail      
    $URLsend = "https://graph.microsoft.com/v1.0/users/$MailSender/mailfolders/Inbox/messages"  
      
    #Invoke-RestMethod -Method POST -Uri $URLsend -Headers $headers   
    $resp_2 = Invoke-RestMethod -Method get -Uri $URLsend -ContentType "application/json" -Headers $headers  
      
    print $resp_2  

The issue seems to be related to the API permissions, this is what I currently have set

245042-image.png

When I add an application permission for "Mail.Read" and consent it, it works, but this seems to allow any user to connect to any mailbox when the permission is approved, It ran calling the mailbox of a user in the $MailSender value who was not explicity listed as a user of this app registration and it still worked. For the Delegated permissions, the Mail.Read property states "Reads the signed-in users mailbox". When using the same permission under Application, it says "Reads ALL user mailboxes". Most of the equivalent app permissions appear much broader than their delagated counterpart.

How can I set minimum permissions for an account to read and delete mail from only the mailbox belonging to the service account thats defined in the $MailSender property?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,861 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,878 questions
{count} votes

1 answer

Sort by: Most helpful
  1. CarlZhao-MSFT 37,786 Reputation points
    2022-09-28T02:45:15.363+00:00

    Hi @Bob Pants

    You can restrict mailbox access by configuring application access policy.

    There are scenarios where administrators may want to limit an app to only specific mailboxes and not all Exchange Online mailboxes in the organization. Administrators can identify the set of mailboxes to permit access by putting them in a mail-enabled security group. Administrators can then limit third-party app access to only that set of mailboxes by creating an application access policy for access to that group.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.