Microsoft-Graph API returning HTTP 403 - Forbidden on NodeJS Daemon Quickstart application

Tony Lockhart 106 Reputation points

I just created a tenant in Azure. The directory has an office 365 Business Standard License. I have downloaded the Node Daemon quick-start application and updated the clientID, TenantId, secret, etc in the .env file, as the instructions direct. However, I am receiving 403 Error when running the getUser MS-Graph query. Before downloading the sample code, step 3 indicates Admin consent is insufficient (see screenshot below). However, I am the owner, and I have granted admin consent to all app-permissions (see screenshot 2). Is there another admin consent that needs to be granted?



Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,886 questions
0 comments No comments
{count} votes

Accepted answer
  1. CarlZhao-MSFT 37,956 Reputation points

    Hi @Tony Lockhart

    This is an expected error, since you are using an unattended daemon, you should use application permissions.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Abdul Gani 0 Reputation points

    Hi All,

    I have same issue (got 403 forbidden) when access microsoft graph with url:

    v1.0/users/<email sender>/sendMail

    and this is my msal-node method:

    import * as msal from "@azure/msal-node";
    //import static config
    import {
    } from "@config/email.config";
    //configurasi object untuk dapat melewati proses instanciate MSAL
    const msalConfig: { auth: msal.NodeAuthOptions } = {
      auth: {
        clientId: CLIENT_ID,
        authority: AAD_ENDPOINT + "/" + TENANT_ID,
        clientSecret: CLIENT_SECRET,
    //interface untuk token request
    interface tokenRequestIface {
      scopes: string[];
    //Dalam alur credential klien, izin perlu diberikan di portal oleh administrator penyewa.
    //izin dalam hal ini ditentukan oleh scope seperti dibawah
    const tokenRequest: tokenRequestIface = {
      scopes: [GRAPH_ENDPOINT + "/.default"],
    //definisikan api graph microsoft endpoint url
    const apiConfig: { uri: string } = {
      uri: GRAPH_ENDPOINT + "/v1.0/users",
    //inisiasi sebuah confidential aplikasi client
    const cca = new msal.ConfidentialClientApplication(msalConfig);
    //buat fungsi untuk mendapatkan token
    async function getToken(tokenRequest: tokenRequestIface) {
      return await cca.acquireTokenByClientCredential(tokenRequest);
    export { apiConfig, tokenRequest, getToken };

    and then i use getToken above to get bearer token for http request to microsoft graph api:

    try {
        const tokenInfo = await getToken(tokenRequest);
        const mail = {
          subject: "Microsoft Graph JavaScript Sample",
          //This "from" is optional if you want to send from group email. For this you need to give permissions in that group to send emails from it.
          from: {
            emailAddress: {
              address: "",
          toRecipients: [
              emailAddress: {
                address: "",
          body: {
              "<h1>MicrosoftGraph JavaScript Sample</h1>This is the email body",
            contentType: "html",
        const emailSentResponse = await callAPI({
          url: "v1.0/users/",
          accessToken: tokenInfo?.accessToken,
          method: "post",
          body: { message: mail, saveToSentItems: false },
      } catch (error: any) {
        console.log("error send email", error);
        const statusCode: number | undefined = error.response?.status;
        if (statusCode) {
          return res.status(statusCode).send(error);

    after finish all code, i hit through postman and get 403 like this:

        "message": "Request failed with status code 403",
        "name": "AxiosError",
        "stack": "AxiosError: Request failed with status code 403\n    at settle (/Users/fhi-it-dev/Documents/email-SMS-API/node_modules/axios/lib/core/settle.js:19:12)\n    at Unzip.handleStreamEnd (/Users/fhi-it-dev/Documents/email-SMS-API/node_modules/axios/lib/adapters/http.js:548:11)\n    at Unzip.emit (node:events:525:35)\n    at Unzip.emit (node:domain:489:12)\n    at endReadableNT (node:internal/streams/readable:1358:12)\n    at processTicksAndRejections (node:internal/process/task_queues:83:21)",
        "config": {
            "transitional": {
                "silentJSONParsing": true,
                "forcedJSONParsing": true,
                "clarifyTimeoutError": false
            "adapter": [
            "transformRequest": [
            "transformResponse": [
            "timeout": 0,
            "xsrfCookieName": "XSRF-TOKEN",
            "xsrfHeaderName": "X-XSRF-TOKEN",
            "maxContentLength": -1,
            "maxBodyLength": -1,
            "env": {
                "Blob": null
            "headers": {
                "Accept": "application/json, text/plain, */*",
                "Content-Type": "application/json",
                "Authorization": "Bearer xxxxxxxxxxxxxx",
                "User-Agent": "axios/1.3.3",
                "Content-Length": "343",
                "Accept-Encoding": "gzip, compress, deflate, br"
            "baseURL": "",
            "method": "post",
            "data": "{\"message\":{\"subject\":\"Microsoft Graph JavaScript Sample\",\"from\":{\"emailAddress\":{\"address\":\"\"}},\"toRecipients\":[{\"emailAddress\":{\"address\":\"\"}}],\"body\":{\"content\":\"<h1>MicrosoftGraph JavaScript Sample</h1>This is the email body\",\"contentType\":\"html\"}},\"saveToSentItems\":false}",
            "url": "v1.0/users/"
        "code": "ERR_BAD_REQUEST",
        "status": 403

    Please help, all setting already ok, (enable email, and also applications permissions like above....

    0 comments No comments