Enabled for users to sign-in effect on MS Graph

Domagoj Grguric 100 Reputation points
2023-10-24T13:10:47.96+00:00

While we were implementing fetchin message details of users (https://graph.microsoft.com/v1.0/users/USER_ID/messages?&count=true endpoint) in our tenant we were getting back the following error messages:

"code": "AuthenticationError",
"message": "Error authenticating with resource",

After a lot of digging we found out that what was causing the issue was that the sign-in option was disabled:

https://stackoverflow.com/questions/67169671/powershell-getting-aadsts500014-error-while-trying-to-connect-to-exchange-onlin

I have a few questions:

  • How does this option have an effect on MS Graph endpoints, why when turned off the MS Graph endpoint throws the above error?
  • With this in mind, I would say that having this enabled is a pre-requisite of running MS Graph API calls for Exchange endpoints. Is this a fair statement?
  • What is the impact to the whole tenant and user when having this option enabled?

Thanks :)

Microsoft Exchange Online
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,888 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vasil Michev 97,306 Reputation points MVP
    2023-10-24T15:35:37.75+00:00

    If you are referring to the "Enabled for users to sign-in" setting for the Exchange Online service principal, or any service principal for that matter, it should be set to Enabled. Otherwise, anyone trying access any resource serviced by the service principal in question will run into errors. Graph API is not an exception here, by blocking access to the SP object, you're effectively blocking any Exchange Online related Graph API calls.

    And yes, said setting is Enabled by default for any organization that has an active M365/Exchange Online subscription. The only scenario I can think of for it being disabled is when all licenses containing the ExO service plan have expired, so the service is in the process of deprovisioning. Well, that and (un)intentional admin action - you can check the audit logs for such.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful