Share via

Getting error while fetching email data of users in my organizational account.

Anns 61 Reputation points
2023-03-27T17:36:56.7866667+00:00

I am trying to hit this URL from the postman.

https://graph.microsoft.com/v1.0/users/{USER_ID}/mailFolders/Inbox/messages

but unfortunately, I am getting this error.

{"error":{"code":"ErrorAccessDenied","message":"Access is denied. Check credentials and try again."}}

and this for another user

{"error":{"code":"MailboxNotEnabledForRESTAPI","message":"The mailbox is either inactive, soft-deleted, or is hosted on-premise.","innerError":{"date":"2023-03-27T17:26:29","request-id":"59eb84fd-92f0-4fe5-a439-93e3683d5416","client-request-id":"59eb84fd-92f0-4fe5-a439-93e3683d5416"}}}

I have provided an access token against these permissions.

  • AuditLog.Read.All
  • DeviceManagementManagedDevices.Read.All
  • Files.Read.All
  • Mail.Read
  • Reports.Read.All
  • SecurityEvents.Read.All
  • SecurityEvents.ReadWrite.All
  • User.Read
  • User.Read.All
  • UserAuthenticationMethod.Read.All
  • profile
  • openid
  • email
  • What I am missing here? What do I need to do to fix this issue?
    Note: The access token is not expired!
Microsoft Security | Microsoft Graph
0 comments
Answer accepted by question author
  1. HarmeetSingh7172 4,831 Reputation points
    2023-03-27T22:28:22.0633333+00:00

    Hello Anns,

    Thanks for reaching out!

    As per the error details you shared - {"error":{"code":"ErrorAccessDenied","message":"Access is denied. Check credentials and try again."}} it seems you are using a delegated token while trying to access other user's mailfolder messages. Delegated permissions only work with a signed-in user present (/me/mailFolders/{id}/messages)

    For accessing other user's mailfolder messages (/users/{id | userPrincipalName}/mailFolders/{id}/messages), you need to use an application token with required application permissions.

    In order to check the token type and the permissions token have, you can use https://jwt.ms/ to decode your token and check for scp/roles property and the permissions one of these properties has (where scp-delegated, roles-application).

    You can test below Graph Endpoint in API Client like Postman with a token (application type) generated using Client Credential flow having required permissions in AAD application.

    users/{user-id}/mailfolders/{mailfolder-id}/messages

    Regarding the second error {"error":{"code":"MailboxNotEnabledForRESTAPI","message":"The mailbox is either inactive, soft-deleted, or is hosted on-premises"}} it seems there is no valid M365 license assigned to an AAD user. This error can occur if the mailbox is on a dedicated Microsoft Exchange Server and is not a valid Microsoft 365 mailbox. Please note that Exchange Online mailbox and outlook calendars will only be available/created for the users with a valid M365 license.

    Please refer to this similar post and documentation.

    Please refer below links for better understanding about tokens, permissions and access scenarios: 
    Authentication and authorization basics - Microsoft Graph | Microsoft Learn
    Microsoft Graph permissions reference - Microsoft Graph | Microsoft Learn

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote. If you have any further questions about this answer, please click Comment

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 159.7K Reputation points MVP Volunteer Moderator
    2023-03-27T17:46:02.59+00:00

    Hi, see. I assume you are using an app and not delegated perms, so make sure its set to application permission type

    https://learn.microsoft.com/en-us/graph/api/user-list-messages?view=graph-rest-1.0&tabs=http

    User's image

    1 person found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.