Large attachement file for draft message refuses MS generated token

Question

Hi,

i'm currently writing a custom Django email backend to seamlessly integrate sending emails via Outlook. I'm almost done, but i have a problem with Emails that have a large attachment file (>3MB). I follow the recommended way, written in the documentation:

• Get access token via MSAL
• Create a Draft message with any attachments smaller 3MB
• Start upload sessions for all attachments larger 3MB
• Upload all remaining files
• Finally send the email (with all attachments)

Everything works as expected, until I start uploading the file. I generate a valid upload session & now want to start uploading in 4MB chunks (as suggested in the documentation). But i get following response back:

{
    "error": {
        "code": "InvalidSignature",
        "message": "The token has an invalid signature.",
        "innerError": {
            "oAuthEventOperationId": "ddc4b076-e1fa-47f3-ae78-2ced7f36e229",
            "oAuthEventcV": "P0VwEU/MWWo3PsX2fjrWuw.1.1",
            "errorUrl": "https://aka.ms/autherrors#error-InvalidSignature",
            "requestId": "b91648c6-a604-4f1a-a689-dc88b3ea69d8",
            "date": "2025-02-16T14:07:26"
        }
    }
}

Problem here: The metioned token (authtoken=...) is NOT generated by me, but is part of the URL from the upload session:

https://outlook.office365.com/api/gv1.0/users('80d9e95e-......-e6073ad418c3')/messages('AAMkADNhNGE0Zm......fyQN7iMAAAYbyvFAAA=')/AttachmentSessions('AAMkADNhNGE0ZmRiLWJlODgtN......xSIeWW7eoSJuVFfyQN7iMAAAYbzOWAAA=')?authtoken=eyJhbGciOiJSUzI1NiIsImtpZCI6Im......GPPml8ceDmgHjCfTJamaogeA

In other words: This token is generated by Microsoft!
I looked into the JWT token, but to be frank here, I have no clue if this is right or not:

{
  "alg": "RS256",
  "kid": "bwc01gG03NinMfcic33RBMzgj/Y=",
  "typ": "JWT",
  "x5t": "XhaA6oSqoGiDp1vd1hG0xtcZhaY"
}
{
  "rscopelen": "462",
  "ver": "ResourceLoopback.App.V1",
  "roles": "AttachmentSession.Write",
  "resource_scope": "{\"URL\":\"4j6zXXEOpaRz+qZkH6Hp7wcoEslA+D/JhvQvd+6AT2Y=\"}",
  "corrid": "31e6b499-4d5f-4782-0201-08c2bad9b90b",
  "appid": "00000003-0000-0000-c000-000000000000",
  "appidacr": "0",
  "tid": "014e521c-062c-4dc0-b4f3-e6073ad418c3",
  "iat": 1739714846,
  "nbf": 1739714846,
  "exp": 1739725646,
  "iss": "https://resource.self/",
  "aud": "https://outlook.office.com/api/"
}

Now the question: What do I have to do, to make this work? I want to upload a large file (>3MB) with this URL.

( NOTE: Sending small emails with no files, or files <3MB works as expected. )

Answer 1

Hello CodeMonkey,

Thank you for reaching out to Microsoft Support!

As for your question, everything works well after our tests, but through the analysis of authtoken, we found that the token you obtained is different from mine in terms of permissions.

Our token parsing is as follows:

The reason for the difference is that the flow you use when creating the upload session is different from ours. For uploading attachments, auth code flow is required, and I use Graph Explorer, so the flow is used, as shown in the following figure:

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

Answer 2

So..., i now tested this myself over the Graph Explorer. Result: You can't test this over the Graph explorer! Because the upload session URL does NOT work over Microsoft Graph API:

I want to report this as a bug. Where may I do this?