question

Slobodan-5796 avatar image
1 Vote"
Slobodan-5796 asked HacheJulio-1757 commented

Calling create (post) /subscriptions for Mail.ReadBasic application not working (403), but for Mail.Read (same configuration) it works

Hi.

I have 2 app registrations with the same configuration, the only difference is that one has Mail.Read Application permission, and the other one has Mail.ReadBasic application permission.

When I call /subscription with the same body for both, for Mail.ReadBasic application I get 403 error:

Error: Operation: Create; Exception: [Status Code: Forbidden; Reason: Access is denied. Check credentials and try again.]



Request body is (note ... in notificationUrl is a link, but I removed sensitive information)

  {  
       "changeType": "created",
       "expirationDateTime": "2022-05-05T00:44:18.866Z",
       "includeResourceData": false,
       "notificationUrl": "https://.../pubsub/microsoft-messages",
       "resource": "/users/slobodan@najsrecniji.onmicrosoft.com/messages"
  }


For the application with Mail.Read application permission this works, and for the application with Mail.ReadBasic application permission it doesn't.
For both applications the admin has consented to the permissions asked and other graph api calls work, for example /messages (with filter or without), without signed in tenant users, since admin consented to the Mail.ReadBasic application permission.


Mail.Read application permissions (works):
198810-screenshot-2022-05-04-at-141941.png


Mail.ReadBasic application permissions (doesn't work):
198863-screenshot-2022-05-04-at-142003.png


















microsoft-graph-change-notifications
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ShivaniRai-MSFT-7217 avatar image
0 Votes"
ShivaniRai-MSFT-7217 answered ShivaniRai-MSFT-7217 rolled back

Hello @Slobodan-5796,

As per this documentation creating a subscription requires read scope to the resource. For example, to get change notifications on messages, your app needs the Mail.Read permission.
199656-image.png

Also, according to this Mail permissions documentation Mail.ReadBasic permission allows the app to read email in the signed-in user's mailbox whereas Mail.Read permission allows the app to read email in user mailboxes. Hence, for application scope Mail.Read permission is needed.
![199691-image.png

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.


image.png (12.5 KiB)
image.png (33.7 KiB)
image.png (24.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Slobodan-5796 avatar image
1 Vote"
Slobodan-5796 answered

Hi @ShivaniRai-MSFT-7217 .

On the same docs page it explicitly says that for subscriptions to messages, both Mail.Read and Mail.ReadBasic (delegated & application) are fine.


200273-screenshot-2022-05-09-at-112631.png




I tried changing Mail.ReadBasic (delegated & application) to Mail.Read permission, and it actually worked. But this isn't what it says in documentation.
The whole point of me having 2 azure applications is that one is Mail.Read and the other Mail.ReadBasic, and I'm assuming I can subscribe to push notifications for messages without a body, same as with one.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.