Error code : "OrganizationFromTenantGuidNotFound" and "BadRequest"

Question

Task: I need to check my mail once a day. Task for the backend. Did according to the instructions on the link: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow

I get a token like this:

eyJ0eXAiOiJKV1QiLCJub25jZSI6IjBXRnZ6dWdoVHotRFZNMXduUE9GNm5hYm1qeFlIWkQ5OWs0V2ExbUtnSFUiLCJhbGciOiJSUzI1NiIsIng1dCI6ImpTMVhvMU9XRGpfNTJ2YndHTmd2UU8yVnpNYyIsImtpZCI6ImpTMVhvMU9XRGpfNTJ2YndHTmd2UU8yVnpNYyJ9.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9kYzljYTFiYy1mYTQxLTQyMzUtOTg3Zi1kNGFhMDEwNmRhOGUvIiwiaWF0IjoxNjQ5MzI4ODE1LCJuYmYiOjE2NDkzMjg4MTUsImV4cCI6MTY0OTMzMjcxNSwiYWlvIjoiRTJaZ1lMaFI2dmE3OWZ4RHZ1blRaN0Y5YnY1VENRQT0iLCJhcHBfZGlzcGxheW5hbWUiOiJPdXRsb29rIGluYm94IGNoZWNrZXIiLCJhcHBpZCI6ImE2NDBmOTg4LWNmOTUtNDVkMS1hOGFkLWRlMDA1NDNkYTZhMyIsImFwcGlkYWNyIjoiMSIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0L2RjOWNhMWJjLWZhNDEtNDIzNS05ODdmLWQ0YWEwMTA2ZGE4ZS8iLCJpZHR5cCI6ImFwcCIsIm9pZCI6IjA2ZGQwMTdiLTVhMmMtNDYyMS1iNjllLTE5ZDMxY2UxNzFhMSIsInJoIjoiMC5BWGtBdktHYzNFSDZOVUtZZjlTcUFRYmFqZ01BQUFBQUFBQUF3QUFBQUFBQUFBQ1VBQUEuIiwicm9sZXMiOlsiTWFpbC5SZWFkV3JpdGUiLCJVc2VyLlJlYWRXcml0ZS5BbGwiLCJNYWlsLlJlYWRCYXNpYy5BbGwiLCJVc2VyLlJlYWQuQWxsIiwiTWFpbC5SZWFkIiwiTWFpbC5SZWFkQmFzaWMiXSwic3ViIjoiMDZkZDAxN2ItNWEyYy00NjIxLWI2OWUtMTlkMzFjZTE3MWExIiwidGVuYW50X3JlZ2lvbl9zY29wZSI6IkVVIiwidGlkIjoiZGM5Y2ExYmMtZmE0MS00MjM1LTk4N2YtZDRhYTAxMDZkYThlIiwidXRpIjoiTTNETjJJYkVMRUNmaFkzaG5qQVlBQSIsInZlciI6IjEuMCIsIndpZHMiOlsiMDk5N2ExZDAtMGQxZC00YWNiLWI0MDgtZDVjYTczMTIxZTkwIl0sInhtc190Y2R0IjoxNjQ5Mjc0NTg5fQ.HU8CkHdFdeXuAzRmu95U3TUavmubTUyb2lhb6l9UViKE0YuLpYr2RpOWuJBNCwi0M_-OPXwvHubWS3c4mz6v-WIYcU2ZOE2bZnkc8sNyu9zqonPX301Hl_TPHvaum10qB2ufMfdZCTe0QMgj-Pu5vOnZMKB5-cjEB16T4Fn5cyZHUa7LSP4Ok3Olf2625A7HJbMy-Z36j5XTZXXOLu1KCF-R4RY4urwwULthe4xMZvE_ksF94QzrCkHSbh5CuPWYkHBtVwWGYZc0jGchDwubXr3rJ7QhCC7hlfP3LEjJy2EB_BOEvkn_U_XXHYFryelz4S2hdthEXLWzQvqYuyMOCQ

I make a request: /users/f00ebc8e-9293-4c72-8dc4-5a5f9bfe5247/messages
In response I get an error: Client error:

GET https://graph.microsoft.com/v1.0/users/f00ebc8e-9293-4c72-8dc4-5a5f9bfe5247/messages resulted in a 401 Unauthorized response:
{"error":{"code":"OrganizationFromTenantGuidNotFound","message":"The tenant for tenant guid 'dc9ca1bc-fa41-4235-987f-d4aa0106da8e' does not exist.","innerError":{"oAuthEventOperationId": "4b71fc30-c038-433b-a951-08486f79f3e5","oAuthEventcV":"YWaaprenLXISnEtq/mrTBQ.1.1","errorUrl":"https://aka.ms/autherrors#error-InvalidTenant","requestId":"c236f885 -882b-49d9-81ca-1ce83b819cd0","date":"2022-04-07T10:59:37"}}}

If I make a request: /users/f00ebc8e-9293-4c72-8dc4-5a5f9bfe5247 - I get user data

If I make a request to /me/messages or /me I get an error:

Client error: GET https://graph.microsoft.com/v1.0/me/messages resulted in a 400 Bad Request response:
{"error":{"code":"BadRequest","message":"/me request is only valid with delegated authentication flow.","innerError":{"date":"2022-04-07T10:33:02","request-id":"2cd6413c-495e-468a-a3be-fff4efdb802a","client-request-id":"2cd6413c-495e-468a-a3be-fff4efdb802a"}}}

Why is this happening, because as far as I can see, I do everything according to the instructions?
How can I access emails in my mailbox?

Another interesting point, I noticed that in the sandbox (https://developer.microsoft.com/en-us/graph/graph-explorer) in the Access token tab, the token has a different look and is not decrypted using jwt.ms
But if I substitute this token in my program, I get access to my letters. How can I get this magic token programmatically through the backend?

Answer 1

Hi @U Anton

Error 401 Unauthorized 'OrganizationFromTenantGuidNotFound' occurs when your Azure AD does not have Office 365 account to work.

If you want to access your messages for your development O365 tenant, register the app in your O365 AAD tenant that you got when you created the development tenant.

Please follow the below steps:

• You need Microsoft 365 account with subscription
• In your azure portal login with your Office 365 account
• Create app in Azure active directory under App registration and give permissions according to the documentation
• Then use your messages endpoint for users

You were getting user data users/{users-id} with this API because its Azure AD endpoint

When I decoded your token I found that you were using Application token for me/messages endpoint.

You need delegated token with permissions 'Mail.ReadBasic, Mail.Read, Mail.ReadWrite' to use 'me/messages' endpoint.

Hope this helps.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have further questions about this answer, please click "Comment".

Answer 2

Why does the sandbox work? I receive information about letters despite the fact that I do not have an office 365 subscription.
Can I somehow get tokens like the ones used here: https://developer.microsoft.com/en-us/graph/graph-explorer ?

For example, confirm permissions 1 time, save the refresh token and continue to receive valid tokens on the backend, which give the right to view mail.

Answer 3

Hello, so if I do not have an office 365 subscription, just an outlook account, i have no permission to access my messages ?

Answer 4

Hi,

Is it has been solved? I have excatly same issue on my side.

Thanks.

Answer 5

Perhaps we need to ask again, more specifically.

How does one obtain a token of the type issued to the graph explorer app?