Enabled for users to sign-in effect on MS Graph

Question

While we were implementing fetchin message details of users (https://graph.microsoft.com/v1.0/users/USER_ID/messages?&count=true endpoint) in our tenant we were getting back the following error messages:

"code": "AuthenticationError",
"message": "Error authenticating with resource",

After a lot of digging we found out that what was causing the issue was that the sign-in option was disabled:

https://stackoverflow.com/questions/67169671/powershell-getting-aadsts500014-error-while-trying-to-connect-to-exchange-onlin

I have a few questions:

• How does this option have an effect on MS Graph endpoints, why when turned off the MS Graph endpoint throws the above error?
• With this in mind, I would say that having this enabled is a pre-requisite of running MS Graph API calls for Exchange endpoints. Is this a fair statement?
• What is the impact to the whole tenant and user when having this option enabled?

Thanks :)

Answer 1

If you are referring to the "Enabled for users to sign-in" setting for the Exchange Online service principal, or any service principal for that matter, it should be set to Enabled. Otherwise, anyone trying access any resource serviced by the service principal in question will run into errors. Graph API is not an exception here, by blocking access to the SP object, you're effectively blocking any Exchange Online related Graph API calls.

And yes, said setting is Enabled by default for any organization that has an active M365/Exchange Online subscription. The only scenario I can think of for it being disabled is when all licenses containing the ExO service plan have expired, so the service is in the process of deprovisioning. Well, that and (un)intentional admin action - you can check the audit logs for such.