Unable to retreive messages in office 365 using Invoke-RestMethod with app permission registered in azure AD

Benard Mwanza 1,001 Reputation points
2022-03-21T13:09:47.85+00:00

I need to be able to read and delete emails in exchange online using REST-API. In my environment it only worked once then now am receiving error 401 upon running the PowerShell script that have created.

What i did set up.
Created an enterprise app in azure AD and assigned API Permission to access office 365 exchange online api under API my organization uses, as shown on attached snips. Retrieved access token for the app using MSAL MODULE Then called invoke-restmethod and passed uri and the auth token to get messages for certain mailbox in office 365.

This worked for once, then rerunning the invoke-restmethod again some minutes later, i get an error 401 unauthorized as shown on attached snip.

I need assistance to understand what could I be missing to make it work again.

185169-assist-snip-allowpublicclient.png

185150-assist-snip-accesstoken-retreiving.png

185179-assist-snip-allowpublicclient.png

185140-assist-snip-retreivingmessages-error.png
185215-assist-snip1-office365exchangeonlineapipermissiong.png
185119-assist-snip2-auth.png
185216-assist-snip-runerror.png

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,447 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,388 questions
Microsoft 365 Publishing
Microsoft 365 Publishing
Microsoft 365: Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line. Publishing: The process of preparing, producing, and releasing content for distribution or sale.
606 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,631 questions
0 comments No comments
{count} votes

Accepted answer
  1. JanardhanaVedham-MSFT 3,536 Reputation points
    2022-03-21T13:34:10.52+00:00

    Hi @Benard Mwanza ,

    You are getting this 401 Unauthorized error because you have not granted microsoft graph permissions to your app instead Office 365 Exachange Online API permissions are granted as per the API permissions screenshot which you shared above.

    Please note that you would need to configure the microsoft graph permissions to your app to use Microsoft Graph and below are the steps to be followed to grant Microsoft graph permissions for the registered app in Azure AD.
    181009-image.png
    181029-image.png
    181039-image.png
    If you are using application permissions scope in your application then you would have choose "Application Permissons" section from "Microsoft Graph" AP area as shown below
    185251-image.png
    185206-image.png
    185252-image.png
    As shown in the above screenshot, Admin must grant admin consent for "Mail.Read" application permissions.

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Benard Mwanza 1,001 Reputation points
    2022-03-21T13:45:30.093+00:00

    Hi @JanardhanaVedham-MSFT

    I had already assigned that permission apologies for not including it in the snips list. Its still the same error.
    185291-assist-snip-microsoftgraphassigned.png

    0 comments No comments

  2. Benard Mwanza 1,001 Reputation points
    2022-03-21T14:12:11.753+00:00

    Hi @JanardhanaVedham-MSFT ,

    This has worked like magic thank you, though, have done two additional steps.

    Have revoked and removed all office 365 exchange online API permissions. Now the only assigned api permission is for Microsoft graph mail
    Granted new permission to admin
    Regenerated new access token then called invoke-restmethod again.