This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I want to create user-specific subscriptions to messages using an Application (with Application permissions). I don't want to read the message's body so using the Mail.ReadBasic scope looks like the solution, but it doesn't work for Application permission, so I'm using "Mail.ReadBasic.All"
First, what I've found:
And now, what I have:
I have an app installed like this:
And when I try to create a new subscription for a user using the API (and Python) I get this error:
payload = {
"changeType": "created,updated,deleted",
"notificationUrl": "https://<url>",
"resource": "/users/<user id>/messages",
"expirationDateTime": "2022-03-11T10:52:38Z",
"clientState": "testClientState",
}
graph_data = requests.post(
"https://graph.microsoft.com/beta/subscriptions/",
headers={
"Authorization": "Bearer " + access_token,
"Content-Type": "application/json",
},
json=payload,
)
Graph API call result:
{
"error": {
"code": "ExtensionError",
"message": "Operation: Create; Exception: [Status Code: Forbidden; Reason: Access is denied. Check credentials and try again.]",
"innerError": {
"date": "2022-03-10T10:54:50",
"request-id": "0db50e06-1b87-432b-b6d9-b83120c3de08",
"client-request-id": "<hidden>"
}
}
}
Using the same credentials (Applications Credentials using App Secrets) I can get that user profile info and the inbox messages list / specific message without any problem.
Is there something I am doing wrong? Is this a bug in the API scopes?
Thanks
A cloud-based identity and access management service for securing user authentication and resource access
An API that connects multiple Microsoft services, enabling data access and automation across platforms
Granting permissions in enterprise application may have latency issues, use https://jwt.ms/ to parse your access token and share screenshots.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 92%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Did u see below error?
Operation: Create; Exception: [Status Code: ServiceUnavailable; Reason: Target resource '00030000-d205-2a66-0000-000000000000' hosted on database '14adcc7b-33b0-418a-9cea-71ccf4592c21' is currently on backend 'Unknown']
After adding permissions on graph explorer, it is working. but still don't see a call back.
I could see the call back for the validation token. but not for the notification request.
did you add which permissions? application or delegate?
I am trying to do the same thing, but I ended up seeing below errors. for some reasons, I face MSA accounts error. please refer more info on - https://learn.microsoft.com/en-us/answers/questions/870631/change-notifications-giving-error-34subscription-v.html
As you can see in my second screenshot, Application credentials (/api/attachments/181898-captura-de-pantalla-de-2022-03-10-12-10-56.png)?platform=QnA
Yes, Permission issue resolved, but please below error
Operation: Create; Exception: [Status Code: ServiceUnavailable; Reason: Target resource '00030000-d205-2a66-0000-000000000000' hosted on database '14adcc7b-33b0-418a-9cea-71ccf4592c21' is currently on backend 'Unknown'].
I ended up seeing this error. there is nothing much can be done
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 75%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Experiencing the same issues create-subscriptions-403-for-mailreadbasic-applica.html
With Mail.Read application permission subscriptions work, but with Mail.ReadBasic or Mail.ReadBasic.All (tried both even) it doesn't
Hi @HacheJulio
This is an error caused by lack of permissions, use https://jwt.ms/ to parse your token, make sure you have the Mail.ReadBasic or Mail.ReadBasic.All application permission in your token.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
(I added Mail.ReadBasic to the Application permissions just in case, along with Mail.ReadBasic.All). Same code, same request:
DEBUG:urllib3.connectionpool:https://graph.microsoft.com:443 "POST /beta/subscriptions HTTP/1.1" 403 None
{'error': {'code': 'ExtensionError', 'message': 'Operation: Create; Exception: [Status Code: Forbidden; Reason: Access is denied. Check credentials and try again.]', 'innerError': {'date': '2022-03-11T11:48:24', 'request-id': '<hidden>', 'client-request-id': '<hidden>'}}}
I'm facing the same problem with the Mail.ReadBasic.All scope in my application.
The same code works for me with the Mail.Read scope but it's a problem because I don't want to process the body, just the headers.
Is there anything that I could try to solve this?
Thanks in advance.
I am discussing this issue with my colleagues and will update you once we have any updates.
Hi @CarlZhao-MSFT , do you have any update on this? Thanks!