I want to create user-specific subscriptions to messages using an Application (with Application permissions). I don't want to read the message's body so using the Mail.ReadBasic scope looks like the solution, but it doesn't work for Application permission, so I'm using "Mail.ReadBasic.All"
First, what I've found:
And now, what I have:
I have an app installed like this:
And when I try to create a new subscription for a user using the API (and Python) I get this error:
payload = {
"changeType": "created,updated,deleted",
"notificationUrl": "https://<url>",
"resource": "/users/<user id>/messages",
"expirationDateTime": "2022-03-11T10:52:38Z",
"clientState": "testClientState",
}
graph_data = requests.post(
"https://graph.microsoft.com/beta/subscriptions/",
headers={
"Authorization": "Bearer " + access_token,
"Content-Type": "application/json",
},
json=payload,
)
Graph API call result:
{
"error": {
"code": "ExtensionError",
"message": "Operation: Create; Exception: [Status Code: Forbidden; Reason: Access is denied. Check credentials and try again.]",
"innerError": {
"date": "2022-03-10T10:54:50",
"request-id": "0db50e06-1b87-432b-b6d9-b83120c3de08",
"client-request-id": "<hidden>"
}
}
}
Using the same credentials (Applications Credentials using App Secrets) I can get that user profile info and the inbox messages list / specific message without any problem.
Is there something I am doing wrong? Is this a bug in the API scopes?
Thanks