How can a user grant access to their mailbox via Graph API?

Radim Wittmann 0 Reputation points
2024-03-28T13:16:12.81+00:00

I have a 'global admin' account through which I performed the app registration and configuration. As a result, I obtained the tenantID, clientID, and ClientSecret. With these credentials, along with the username and password, I am able to successfully generate a token, granting me access to the 'global admin' account's mailbox. Additionally, I am able to generate a token using the credentials of other accounts belonging to the organization. However, I encounter an 'access denied' error when attempting to access the user's mailbox using the token from the user. What steps can I take to gain access to the user's mailbox using the user's username and password?

Here are my permissions:

Screenshot 2024-03-28 141443

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,522 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,833 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Andy David - MVP 141.1K Reputation points MVP
    2024-03-28T13:59:47.4833333+00:00

    Your permissions are application permissions. You wouldnt use a user's credentials to access a mailbox. Your application will need to auth with a managed identity, or client secret or certificate if using application permissions.

    If you want to access a mailbox a user has existing access to, then use delegated permissions

    0 comments No comments

  2. Yakun Huang 80 Reputation points
    2024-03-29T07:05:57.93+00:00

    Hi @Radim Wittmann,

    There are two ways to access another user's mailbox:

    1. Grant the app application permission, and once the token is obtained through the client credential flow, it can access the other user's mailbox.
    2. the app has the appropriate delegated permission from one user, and another user has shared a mail folder with that user, or, has given delegated access to that user.

    As you can see from your issue description, the second method is used, but the error occurs because the other user is not sharing the mailbox or has not given delegated access to that user, so add a shared folder or delegate another user to act on your behalf.

    If you want to know more detailed information, you can check out this link:

    https://learn.microsoft.com/en-us/graph/api/user-sendmail?view=graph-rest-1.0&tabs=csharp

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    0 comments No comments