Microsoft Security | Microsoft Graph
An API that connects multiple Microsoft services, enabling data access and automation across platforms
any inputs on this?
Error authenticating with resource -- even with admin consent for a signed in user
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 71%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Akshay Mahajan
26
Reputation points
Hello, I have a registered AD app, and has admin consent on the following permissions
Mail.Read
Mail.ReadWrite
Mail.ReadBasic
User.Read
I also get a code in my local app, which I use to obtain an access_token. In that response, here are the scope values returned by login.microsoftonline.com
"scope": "profile openid email https://graph.microsoft.com/Mail.Read https://graph.microsoft.com/Mail.ReadBasic https://graph.microsoft.com/Mail.ReadWrite https://graph.microsoft.com/User.Read",
Now when I try to access https://graph.microsoft.com/v1.0/me using access_token obtained in the previous step, it works fine and gives my user profile back in postman.
But when I try to access https://graph.microsoft.com/v1.0/me/messages, it fails with the following error
{
"error": {
"code": "AuthenticationError",
"message": "Error authenticating with resource",
"innerError": {
"date": "2021-04-30T16:56:08",
"request-id": "b1949288-8ee8-42cd-ae61-5c63597eb973",
"client-request-id": "b1949288-8ee8-42cd-ae61-5c63597eb973"
}
}
}
The scope for access_token does have Mail.Read for graph. What am I doing wrong? scp value from jwt.ms is as follows:
"scp": "Mail.Read Mail.ReadBasic Mail.ReadWrite User.Read profile openid email"
Please help asap. Thanks!
Microsoft Security | Microsoft Graph
-
Akshay Mahajan 26 Reputation points
2021-04-30T17:03:34.73+00:00 This app is enabled for Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
I am using an @harsh.com .com email address
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 47%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDW%3C/text%3E%3C/svg%3E)
Diana Wanjuhi 1,376 Reputation points2021-05-04T08:01:48.557+00:00 Hello - let us look into this and get back to you.
Sign in to comment
1 answer
Sort by: Most helpful
-
Akshay Mahajan 26 Reputation points
2021-05-03T17:49:28.49+00:00 -
Diana Wanjuhi 1,376 Reputation points
2021-05-04T12:19:09.453+00:00 Hello @Akshay Mahajan would you check with your admin whether you have a valid subscription for this user?
-
Akshay Mahajan 26 Reputation points
2021-05-04T12:45:44.733+00:00 Hi @Diana Wanjuhi thanks for your response. Would like to get more details on the "subscription", are you referring to office 365 subscription? I have this AD app on Azure which allows signing in on personal Microsoft accounts (e.g. Skype, Xbox). And am using a personal email address like aksxyz@harsh.com .com (we have added this user as a Guest user on Azure AD and accepted invite). Beyond that, please let me know what step is needed within Azure AD or on the exchange side?
Thank you!
-
Akshay Mahajan 26 Reputation points
2021-05-04T14:01:04.54+00:00 Also want to add that when I use MS Graph Explorer online tool (on a browser) and sign in to this outlook email account, I am able to access the messages using me/messages. How could azure AD app have the same behavior?
Sign in to comment -