This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 2%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Getting the following error:
Error: The request failed. The remote server returned an error: (403) Forbidden.
Error is being triggered on the following call:
var folders = ewsClient.FindFolders(WellKnownFolderName.Inbox, new FolderView(10));
Block of code getting executed:
public static async System.Threading.Tasks.Task processAccountsExchange()
{
try
{
var cca = ConfidentialClientApplicationBuilder
.Create("b3d*********")
.WithClientSecret("P5R******")
.WithTenantId("090********")
.Build();
// The permission scope required for EWS access
var scopes = new string[] { "https://outlook.office365.com/.default" };
//Make the token request
var authResult = await cca.AcquireTokenForClient(scopes).ExecuteAsync();
// Configure the ExchangeService with the access token
var ewsClient = new ExchangeService();
ewsClient.Url = new Uri("https://outlook.office365.com/EWS/Exchange.asmx");
ewsClient.Credentials = new OAuthCredentials(authResult.AccessToken);
ewsClient.ImpersonatedUserId = new ImpersonatedUserId(ConnectingIdType.SmtpAddress, "******@ourcompanydomain.com");
//Include x-anchormailbox header
ewsClient.HttpHeaders.Add("X-AnchorMailbox", "******@ourcompanydomain.com");
var folders = ewsClient.FindFolders(WellKnownFolderName.Inbox, new FolderView(10));
foreach (var folder in folders)
{
Console.WriteLine(folder.WellKnownFolderName.ToString());
}
}
catch (MsalException ex)
{
Console.WriteLine("Error acquiring access token: " + ex.Message.ToString());
}
catch (Exception ex)
{
Console.WriteLine("Error: " + ex.Message.ToString());
}
if (System.Diagnostics.Debugger.IsAttached)
{
Console.WriteLine("Hit any key to exit...");
Console.ReadKey();
}
}
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 31%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJX%3C/text%3E%3C/svg%3E)
Hi, I'm here to confirm that is there any progress with the issue? If the reply helps, you could mark it as an answer to close the thread, thank you!
Hi, I'm here to confirm with you if your issue has been resolved. If the problem is successfully solved, you can share your solution and mark them or the helpful reply as answer, this will make answer searching in the forum easier and be beneficial to other community members as well.
Did you grant impersonation permissions? full_access_as_app is needed for this scenario. In addition, access might be blocked due to application access policy, as detailed for example here: https://practical365.com/new-application-access-policies-extend-support-for-more-scenarios/
Thanks Michev!
I've reached out to our Exchange Admin to grant the impersonation permissions. Might not happen till Monday though but will post an update once that has happened. Have a good day.
I'm not sure where in the Azure admin portal I can confirm impersonation is turned on with the “full_access_as_app” setting. Appreciate any guidance on locating whether or not "full_access_as_ap" has truly been turned on for impersonation permissions.
Also, do the permissions need to be set on the application and/or the account being impersonated? From what I have learned about these permissions, it seems that there are permissions at both levels (i.e. applications and impersonated accounts). Hope that makes sense.
Thanks again for the assistance.
You can find them under the (hidden) Exchange legacy API: https://www.michev.info/Blog/Post/3180/exchange-api-permissions-missing
Alternatively, you can check the app manifest directly: https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth#configure-for-app-only-authentication
If you are using the application permissions model, impersonation is granted directly at the Graph API layer. Thus the need to use app access policy, if you want to restrict permissions. If you are running int he delegate permissions model, the standard Exchange RBAC controls apply.