Share via

401 Unauthorized when accessing mailFolders for external users with Microsoft Graph API application permissions

Brendan 20 Reputation points
2025-03-25T22:13:11.2266667+00:00

I'm developing an application using the Microsoft Graph API with application permissions to access my personal outlook email, but I'm encountering a 401 Unauthorized error specifically when trying to access mailFolders.

The application I'm writing I would need to be able to run without a user being present, hence I can't use delegated permissions.

Screenshot 2025-03-26 at 8.57.20 am I'm using Python with MSAL to authenticate with client credentials flow (application permissions) and access a user mailboxes. I can successfully retrieve basic user information, but when I try to access the mailFolders endpoint, I get a 401 Unauthorized error.

My code:

# Create app instance and acquire token (works fine)
app = msal.ConfidentialClientApplication(
    config["client_id"], authority=config["authority"],
    client_credential=config["secret"]
)
result = app.acquire_token_for_client(scopes=config["scope"])

# This works - I can get user info
user_info = requests.get(
    f"{config['base_url']}/users/{config['user_id']}",
    headers={'Authorization': 'Bearer ' + result['access_token']}
).json()

# This fails with 401 Unauthorized
mail_folders = requests.get(
    f"{config['base_url']}/users/{config['user_id']}/mailFolders",
    headers={'Authorization': 'Bearer ' + result['access_token']}
)

My application has the following permissions granted and consented:

Screenshot 2025-03-26 at 8.57.35 am

Examining the JWT token shows these permissions are included in the roles claim

Screenshot 2025-03-26 at 9.06.21 am

Any help with this would be much appreciated!

Microsoft Security | Microsoft Graph
0 comments
Accepted answer
  1. Akhil Nasalwai - MSFT 1,685 Reputation points Microsoft External Staff
    2025-03-26T01:02:42.9066667+00:00

    Hello Brendan,

    Thank you for reaching out to Microsoft Support!!

    Based on the error that you are encountering, 401 unauthorized access when trying to access mailbox might be due to the account type which is being accessed.

    As per the documentation, for the personal Microsoft Account delegated permissions are supported.

    01

    Link: list Mailfolders Graph API

    We recommend you testing the API using the me/mailfolders by signing in as a user through Graph Explorer - Graph Explorer or try using work account with application permissions and let us know the response.

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. CarlZhao-MSFT 46,376 Reputation points
    2025-03-26T02:30:22.8533333+00:00

    Hi @Brendan

    You can't access the external user's mail folder because the external user doesn't have an EXO mailbox available in your tenant, it only has a mailbox available in their home tenant.

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    0 comments
  2. Brendan 20 Reputation points
    2025-03-30T21:34:28.2466667+00:00

    Thanks for the quick response team, I actually ended up using delegated permissions and using the msal python library which handles auto refresh of tokens itself. This at least considerably reduces the need for a user to be present during authentication.

    I may look into whether app permissions could suit me better in future, and how to get it working with an external user, but for now I'm happy enough with how its working.

    Thanks for you both your help!

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.