issues while implementing token based Modern Auth with Microsoft Graph API in Java

Chawda Heenal 21 Reputation points
2022-10-13T07:26:01.437+00:00

To address the Microsoft's Deprecation of Basic auth for EWS Applications, we are trying to implement modern auth(OAuth) using Microsoft's Graph API in Java :

App only ClientSecretCredential process of Microsoft Graph API following its documentation, we have been able to successfully get the Access token (with the credentials we recieved from Azure AD app registration), and to check if we can access the Outlook inbox or not , we were trying to list the Inbox emails (used inbox's id which our team owns to test if the emails are getting listed or not) :

return _appClient.users("*********@***.com")
.mailFolders("inbox")
.messages()
.buildRequest()
.select("from,isRead,receivedDateTime,subject")
.top(25)
.orderBy("receivedDateTime DESC")
.get();
and while checking in Postman with client credentials and token we get Access denied
while Azure AD app registration we did mention the required permissions .

Any inputs will be helpful in resolving the issue.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,809 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,814 questions
{count} votes

Accepted answer
  1. CarlZhao-MSFT 37,706 Reputation points
    2022-10-13T07:53:12.647+00:00

    Hi @Chawda Heenal

    Use jwt.ms to parse your access token and make sure you have one of the Mail.ReadBasic.All, Mail.Read, Mail.ReadWrite permissions in roles claim.

    250041-image.png

    250051-image.png


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


1 additional answer

Sort by: Most helpful
  1. Vasil Michev 96,836 Reputation points MVP
    2022-10-13T07:55:04.87+00:00

    Did you add the impersonation bits? When running in the application permissions model, your app runs in the context of a service principal, not a user, thus it cannot access mailbox data until you tell it which user to impersonate.
    Other than that, make sure that there are no Application access policies blocking access for your app: https://practical365.com/new-application-access-policies-extend-support-for-more-scenarios/

    0 comments No comments