Setting mail message IsRead to true using Graph API fails

Question

Setting mail message IsRead to true using Graph API fails

Raleigh Rinehart 21

When trying to set a mail message IsRead status to true an ODataError is thrown (see exception output below).
Note that we are using the Microsoft.Graph sdk using the "Client credentials provider" Auth provider with a client secret as this needs to run without any user interaction. The Entra application has the Mail.Read, Mail.Send , and Mail.ReadWrite permissions set. We are able to Send and Receive emails just fine.

Code example snippet:

var requestBody = new Message
{
    IsRead = true,
};

var msg = graphUser.Messages[message.Id];
try
{
    await msg.PatchAsync(requestBody);
}
catch (Exception e)
{
    Logger.Exception("Unable to mark message as read.", e);
}

The same problem happens with the PowerShell Graph SDK:

PS C:\work\testing> Import-Module Microsoft.Graph.Mail 
PS C:\work\testing> Update-MgUserMessage -UserId $userId -MessageId "{message id}" -BodyParameter $params
Update-MgUserMessage : Access is denied. Check credentials and try again.
Status: 403 (Forbidden)
ErrorCode: ErrorAccessDenied
Date:
Headers:
Transfer-Encoding             : chunked
Strict-Transport-Security     : max-age=31536000
request-id                    : d963ff03-946d-45ca-848b-127244e8d86c
client-request-id             : 9f8bf091-970e-4c4c-be44-b476bac58090
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"South Central US","Slice":"E","Ring":"5","ScaleUnit":"003","RoleInstance":"SN4PEPF0000296D"}}
Cache-Control                 : private
Date                          : Fri, 30 May 2025 21:59:44 GMT
At line:1 char:1
+ Update-MgUserMessage -UserId $userId -MessageId "AAMkADU1YjNjNzM0LTA2 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: ({ UserId = b565...tGraphMessage }:<>f__AnonymousType5`4) [Update-MgUserMessage_Update], Exception
    + FullyQualifiedErrorId : ErrorAccessDenied,Microsoft.Graph.PowerShell.Cmdlets.UpdateMgUserMessage_Update

$params looks like this:

$params
Name                           Value
----                           -----
isRead                         True

Exception:

Microsoft.Graph.Models.ODataErrors.ODataError: Access is denied. Check credentials and try again.
   at Microsoft.Kiota.Http.HttpClientLibrary.HttpClientRequestAdapter.ThrowIfFailedResponseAsync(HttpResponseMessage response, Dictionary`2 errorMapping, Activity activityForAttributes, CancellationToken cancellationToken)
   at Microsoft.Kiota.Http.HttpClientLibrary.HttpClientRequestAdapter.SendAsync[ModelType](RequestInformation requestInfo, ParsableFactory`1 factory, Dictionary`2 errorMapping, CancellationToken cancellationToken)
   at Microsoft.Kiota.Http.HttpClientLibrary.HttpClientRequestAdapter.SendAsync[ModelType](RequestInformation requestInfo, ParsableFactory`1 factory, Dictionary`2 errorMapping, CancellationToken cancellationToken)
   at Microsoft.Graph.Users.Item.Messages.Item.MessageItemRequestBuilder.PatchAsync(Message body, Action`1 requestConfiguration, CancellationToken cancellationToken)

Sonny Gillissen 3,751 Reputation points Volunteer Moderator

2025-05-31T19:41:21.5+00:00

Hi Raleigh Rinehart

Thanks for reaching out on Microsoft Q&A!

Modifying message properties (like IsRead) is considered a user-contextual action, therefor Application Permissions won't work as they lack user context. To solve this issue I advise you to make use of Delegated Permissions using the On-Behalf-Of (OBO) Flow so you will have a user context, thus be able to set the property:

https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-on-behalf-of-flow

Please click ‘Accept answer’ if you think my answer is helpful. Feel free to drop additional queries in the comments below!

Kind regards,

Sonny
Raleigh Rinehart 21 Reputation points

2025-06-02T15:35:16.06+00:00

Hi @Sonny Gillissen ,I'm not sure the On-Behalf-Of flow is a viable option in this scenario. Reason being is that that we have no User in the workflow at all. This application is akin to a "Daemon" app, and can run without any user involvement. It is my understanding that the OBO flow requires an authenticated user, which we don't have. Is this correct?
Raleigh Rinehart 21 Reputation points

2025-06-02T15:55:05.57+00:00

Hi @SrideviM ,

I don't have access to the the Admin portal for the application, I will confirm with our IT that the permissions are set correctly (I am 99.9% sure that Mail.Read, Mail.Send , and Mail.ReadWrite
are set)
Here is what the full PowerShell looks like:

thanks,

-raleigh
SrideviM 5,630 Reputation points Microsoft External Staff Moderator

2025-06-02T16:55:46.0033333+00:00

Hello Raleigh, make sure to add permissions of Application type with admin consent. If you added same permissions of Delegated type, it will throw error as they won't work with client credentials flow.
Raleigh Rinehart 21 Reputation points

2025-06-02T19:47:39.59+00:00

Hi @SrideviM ,

When adding the Application permission for Mail.ReadWrite the dashboard says Not Granted for ..., I suspect this is the issue, but no idea why this happens, nor how to correct.

Any ideas on this?
Bruce (SqlWork.com) 77,686 Reputation points Volunteer Moderator

2025-06-02T19:56:54.4766667+00:00

Admin consent is required, and an azure ad admin has not to clicked on consent button.

Accepted answer

1 additional answer

Your answer

Sonny Gillissen 3,751 Reputation points Volunteer Moderator

2025-05-31T19:41:21.5+00:00

Hi Raleigh Rinehart

Thanks for reaching out on Microsoft Q&A!

Modifying message properties (like IsRead) is considered a user-contextual action, therefor Application Permissions won't work as they lack user context. To solve this issue I advise you to make use of Delegated Permissions using the On-Behalf-Of (OBO) Flow so you will have a user context, thus be able to set the property:

https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-on-behalf-of-flow

Please click ‘Accept answer’ if you think my answer is helpful. Feel free to drop additional queries in the comments below!

Kind regards,

Sonny
Raleigh Rinehart 21 Reputation points

2025-06-02T15:35:16.06+00:00

Hi @Sonny Gillissen ,I'm not sure the On-Behalf-Of flow is a viable option in this scenario. Reason being is that that we have no User in the workflow at all. This application is akin to a "Daemon" app, and can run without any user involvement. It is my understanding that the OBO flow requires an authenticated user, which we don't have. Is this correct?
Raleigh Rinehart 21 Reputation points

2025-06-02T15:55:05.57+00:00

Hi @SrideviM ,

I don't have access to the the Admin portal for the application, I will confirm with our IT that the permissions are set correctly (I am 99.9% sure that Mail.Read, Mail.Send , and Mail.ReadWrite
are set)
Here is what the full PowerShell looks like:

thanks,

-raleigh
SrideviM 5,630 Reputation points Microsoft External Staff Moderator

2025-06-02T16:55:46.0033333+00:00

Hello Raleigh, make sure to add permissions of Application type with admin consent. If you added same permissions of Delegated type, it will throw error as they won't work with client credentials flow.
Raleigh Rinehart 21 Reputation points

2025-06-02T19:47:39.59+00:00

Hi @SrideviM ,

When adding the Application permission for Mail.ReadWrite the dashboard says Not Granted for ..., I suspect this is the issue, but no idea why this happens, nor how to correct.

Any ideas on this?
Bruce (SqlWork.com) 77,686 Reputation points Volunteer Moderator

2025-06-02T19:56:54.4766667+00:00

Admin consent is required, and an azure ad admin has not to clicked on consent button.

Answer 1

Hello Raleigh Rinehart,

The error occurs if you missed granting admin consent to Mail.ReadWrite Application type permission or you are using Delegated type permission that won't work with client credentials flow.

To resolve the error, make sure to grant Mail.ReadWrite permission of Application type with admin consent as below:

User's image

When I ran below PowerShell script to connect with Microsoft Graph using client credentials flow, it worked successfully:

$tenantID = "tenantId"
$appID = "appId"
$secretValue = "secret"
$ClientSecretPass = ConvertTo-SecureString -String $secretValue -AsPlainText -Force
$ClientSecretCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $appID, $ClientSecretPass

Connect-MgGraph -TenantId $TenantId -ClientSecretCredential $ClientSecretCredential

$params = @{
    IsRead = $true
}

Update-MgUserMessage -UserId "userId" -MessageId "msgId" -BodyParameter $params

enter image description here

Hope this helps

If this answers your query, do click Accept Answer and Yes for was this answer helpful, which may help members with similar questions.

User's image

If you have any other questions or are still experiencing issues, feel free to ask in the "comments" section, and I'd be happy to help.

SrideviM 5,630 Reputation points Microsoft External Staff Moderator

2025-06-03T13:12:02.65+00:00

Hello Raleigh Rinehart,

Is there anything else I can help you with regarding this issue? If you still need further help, please feel free to let me know. If your question has been solved, then you can click Accept Answer and Yes for was this answer helpful, which may help members with similar questions.

Answer 2

Raleigh Rinehart 21

The issue turned out to be that the Mail.ReadWrite permission was added but not yet approved/consented by an Admin. I ask our IT guy to consent to the permission and now all is working as expected.

Share via

Setting mail message IsRead to true using Graph API fails

1 additional answer

Your answer