Share via

How is Application Impersonation is working for some of our customers but erroring out for other customers?

Mukesh Kumar 20 Reputation points
2025-03-27T07:53:00.0833333+00:00

We use Application Permission and Delegated Permission for 2 of our apps respectively which our customers uses to either do a team sign-in or individual sign-in and provide consent to user their activity data. We are already in the process of migrating them to graph. Meanwhile we have observed that application impersonation still works for a few of our customers but for some of the other customers we are observing 403 forbidden errors. Is there a particular reason why its working for few but not for others?

Exchange Online
Exchange Online
A Microsoft email and calendaring hosted service.
6,172 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-03-28T02:55:34.1866667+00:00

    Hi @Mukesh Kumar ,

    Welcome to the Microsoft Q&A platform!

    Are all users in the same tenant? If not, consider checking the tenant settings.
    In tenants where impersonation is working, the admin has likely already consented to the required permissions, whether via legacy Exchange Impersonation policies, the Application Permission in Azure AD, or a combination of delegated permissions.

    In the tenants where you’re seeing a 403 error, it’s possible that the admin consent wasn’t granted or the appropriate roles weren’t assigned. Sometimes a tenant’s security policies can block an app from performing impersonation if the app hasn’t been “whitelisted” properly.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.