question

LucaBorzani-0164 avatar image
0 Votes"
LucaBorzani-0164 asked LucaBorzani-0164 answered

sendMail graph api, /me endpoint returns 403 despite role assigned

Hello,

i have created an app registration and assigned the Mail.Send Aplication permission.
I acquire a token using the client credentials flow, the token correctly contains the Mail.Send (as any user) role.

When i call the sendmail api though, the /me endpoint responds with a 403, while the /users endpoint sends the email as expected.

How do i get the /me endpoint to work? I don't want to use the /users endpoint, the request should be executed as the service principal associated to the registration (object id).

microsoft-graph-mailazure-ad-msal
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Danstan-MSFT avatar image
1 Vote"
Danstan-MSFT answered Danstan-MSFT edited

/me requires a signed-in user (Delegated permissions) See here, therefore tokens acquired using client credential flow wont work with /me and all its extensions because it has only application permissions . To get /me to work you must acquire token on behalf of the user using /authorize - See here




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LucaBorzani-0164 avatar image
0 Votes"
LucaBorzani-0164 answered Danstan-MSFT commented

So there is no way to invoke the graph api using only client_id and client_secret, as both endpoints require a user?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Application permissions are useful for when no user consent is needed in the flow or not possible. Delegated permissions are useful when you need to do something on behalf of user.
Note that if you need to access resources under /me/{extensions}, you can still use the /user/{extensions} with the right application permissions.

For example instead of calling GET /me with application permissions, call GET /users/{user-id | userPrincipalName}





1 Vote 1 ·
LucaBorzani-0164 avatar image
0 Votes"
LucaBorzani-0164 answered

yes, i understand i can use the /users endpoint, but it requires a userPrincipal, i'd like to use the servicePrincipal that belongs to the app registration that has already all the permissions granted by an admin. I think there's no other way than creating a technical user so i can call the /users endpoint with a valid userId

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.