Getting error while fetching email data of users in my organizational account.

Anns 61 Reputation points
2023-03-27T17:36:56.7866667+00:00

I am trying to hit this URL from the postman.

https://graph.microsoft.com/v1.0/users/{USER_ID}/mailFolders/Inbox/messages

but unfortunately, I am getting this error.

{"error":{"code":"ErrorAccessDenied","message":"Access is denied. Check credentials and try again."}}

and this for another user

{"error":{"code":"MailboxNotEnabledForRESTAPI","message":"The mailbox is either inactive, soft-deleted, or is hosted on-premise.","innerError":{"date":"2023-03-27T17:26:29","request-id":"59eb84fd-92f0-4fe5-a439-93e3683d5416","client-request-id":"59eb84fd-92f0-4fe5-a439-93e3683d5416"}}}

I have provided an access token against these permissions.

  • AuditLog.Read.All
  • DeviceManagementManagedDevices.Read.All
  • Files.Read.All
  • Mail.Read
  • Reports.Read.All
  • SecurityEvents.Read.All
  • SecurityEvents.ReadWrite.All
  • User.Read
  • User.Read.All
  • UserAuthenticationMethod.Read.All
  • profile
  • openid
  • email
  • What I am missing here? What do I need to do to fix this issue?
    Note: The access token is not expired!
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,826 questions
0 comments No comments
{count} votes

Accepted answer
  1. HarmeetSingh7172 4,811 Reputation points
    2023-03-27T22:28:22.0633333+00:00

    Hello Anns,

    Thanks for reaching out!

    As per the error details you shared - {"error":{"code":"ErrorAccessDenied","message":"Access is denied. Check credentials and try again."}} it seems you are using a delegated token while trying to access other user's mailfolder messages. Delegated permissions only work with a signed-in user present (/me/mailFolders/{id}/messages)

    For accessing other user's mailfolder messages (/users/{id | userPrincipalName}/mailFolders/{id}/messages), you need to use an application token with required application permissions.

    In order to check the token type and the permissions token have, you can use https://jwt.ms/ to decode your token and check for scp/roles property and the permissions one of these properties has (where scp-delegated, roles-application).

    You can test below Graph Endpoint in API Client like Postman with a token (application type) generated using Client Credential flow having required permissions in AAD application.

    users/{user-id}/mailfolders/{mailfolder-id}/messages

    Regarding the second error {"error":{"code":"MailboxNotEnabledForRESTAPI","message":"The mailbox is either inactive, soft-deleted, or is hosted on-premises"}} it seems there is no valid M365 license assigned to an AAD user. This error can occur if the mailbox is on a dedicated Microsoft Exchange Server and is not a valid Microsoft 365 mailbox. Please note that Exchange Online mailbox and outlook calendars will only be available/created for the users with a valid M365 license.

    Please refer to this similar post and documentation.

    Please refer below links for better understanding about tokens, permissions and access scenarios: 
    Authentication and authorization basics - Microsoft Graph | Microsoft Learn
    Microsoft Graph permissions reference - Microsoft Graph | Microsoft Learn

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote. If you have any further questions about this answer, please click Comment


1 additional answer

Sort by: Most helpful
  1. Andy David - MVP 147.6K Reputation points MVP
    2023-03-27T17:46:02.59+00:00

    Hi, see. I assume you are using an app and not delegated perms, so make sure its set to application permission type

    https://learn.microsoft.com/en-us/graph/api/user-list-messages?view=graph-rest-1.0&tabs=http

    User's image

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.