Calling create (post) /subscriptions for Mail.ReadBasic application not working (403), but for Mail.Read (same configuration) it works

Slobodan 11 Reputation points
2022-05-04T12:23:44.54+00:00

Hi.

I have 2 app registrations with the same configuration, the only difference is that one has Mail.Read Application permission, and the other one has Mail.ReadBasic application permission.

When I call /subscription with the same body for both, for Mail.ReadBasic application I get 403 error:

Error: Operation: Create; Exception: [Status Code: Forbidden; Reason: Access is denied. Check credentials and try again.]

Request body is (note ... in notificationUrl is a link, but I removed sensitive information)

 {    
      "changeType": "created",  
      "expirationDateTime": "2022-05-05T00:44:18.866Z",  
      "includeResourceData": false,  
      "notificationUrl": "https://.../pubsub/microsoft-messages",  
      "resource": "/users/slobodan@najsrecniji.onmicrosoft.com/messages"  
 }  

For the application with Mail.Read application permission this works, and for the application with Mail.ReadBasic application permission it doesn't.
For both applications the admin has consented to the permissions asked and other graph api calls work, for example /messages (with filter or without), without signed in tenant users, since admin consented to the Mail.ReadBasic application permission.

Mail.Read application permissions (works):
198810-screenshot-2022-05-04-at-141941.png

Mail.ReadBasic application permissions (doesn't work):
198863-screenshot-2022-05-04-at-142003.png

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,378 questions
{count} vote

2 answers

Sort by: Most helpful
  1. Slobodan 11 Reputation points
    2022-05-09T09:45:02.513+00:00

    Hi @ShivaniRai-MSFT .

    On the same docs page it explicitly says that for subscriptions to messages, both Mail.Read and Mail.ReadBasic (delegated & application) are fine.

    200273-screenshot-2022-05-09-at-112631.png

    I tried changing Mail.ReadBasic (delegated & application) to Mail.Read permission, and it actually worked. But this isn't what it says in documentation.
    The whole point of me having 2 azure applications is that one is Mail.Read and the other Mail.ReadBasic, and I'm assuming I can subscribe to push notifications for messages without a body, same as with one.

    1 person found this answer helpful.
    0 comments No comments

  2. ShivaniRai-MSFT 2,726 Reputation points
    2022-05-06T12:30:35.307+00:00

    Hello @Slobodan ,

    As per this documentation creating a subscription requires read scope to the resource. For example, to get change notifications on messages, your app needs the Mail.Read permission.
    199656-image.png

    Also, according to this Mail permissions documentation Mail.ReadBasic permission allows the app to read email in the signed-in user's mailbox whereas Mail.Read permission allows the app to read email in user mailboxes. Hence, for application scope Mail.Read permission is needed.
    ![199691-image.png

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

    0 comments No comments