Microsoft Graph | Microsoft Community Hub

Forum Widgets

Latest Discussions

Error while creating Graph API Access token
Hi guys, I am trying to create an access token for calling Graph API through browser. When I call 'https://login.microsoftonline.com/XXXX-XXXX-XXX-XXX-XXX/oauth2/token' api using AJAX, I receive below error. Access to XMLHttpRequest at 'https://login.microsoftonline.com/XXXX-XXXX-XXX-XXX-XXX/oauth2/token' from origin 'https://cevalogisticsoffice365.sharepoint.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Please can you provide me why this error is occurring and what is the solution for this. Regards
sanjaychauhan
Copper Contributor
Nov 27, 2025
45Views
0likes
0Comments
Attempt to automate GSA setup in Azure through Graph API
Hi, Using https://developer.microsoft.com/en-us/graph/graph-explorer and signed in as a user with Applications, Network, NetworkPolicy, Global Secure Access Admin roles, I am trying to POST to https://graph.microsoft.com/beta/networkAccess/connectivity/remoteNetworks using Payload Body { "name": "Hello", "region": "norwayEast" } How come I get the HTTP response code 400 with "code": "UnknownError", "message": "{\"error\":\"Invalid request parameters\"}", ?
Sjur
Copper Contributor
Nov 24, 2025
13Views
0likes
0Comments
O365 Group email settings
I am in the middle of trying to create some automated routines that create groups in O365 and add/remove members from them as needed. One of things I ran into is that when an email is sent to the group, the emails are not going into each members' inbox and are only visible in Outlook through "Go to groups" in the left hand menu. I can see the settings that need to be set but can't set them because either, A: it just doesn't do it or B: says I don't have permission. Doing this through C# and the Graph SDK The two items I think I need to turn on are below. What permissions are needed to be able to manage those settings but NOT be able to have access to anyone and everyones' email boxes, emails, etc or is there another way to do this? IsSubscribedByMail AutoSubscribeNewMembers
xxBigbacon
Copper Contributor
Nov 18, 2025
api
App
developer
office 365
Office Graph
108Views
0likes
1Comment
Retrieve Item Analytics for Multiple Items
Hi, our team has noticed that it’s not possible to retrieve analytics when querying a list of items using $expand. When we run this type of query, we don’t receive an error indicating that it’s not allowed; instead, the analytics property just returns null values. https://graph.microsoft.com/v1.0/sites/<<SiteId>>/lists/<<ListID>>/items?$expand=fields,analytics($expand=allTime) However, when we query a single item, everything works as expected. https://graph.microsoft.com/v1.0/sites/<<SiteId>>/lists/<<ListID>>/items/<<ListID>>/analytics/allTime Is there a way to retrieve analytics data for multiple items in one request?
michalkornet
Iron Contributor
Nov 13, 2025
23Views
1like
0Comments
Missing types in personType resource type documentation
Hi, Some time ago, I was working with the Microsoft Graph People endpoint and wanted to filter by personType properties. I’d like to suggest listing all possible values for personType in the documentation for the resource type. Here’s the documentation I’ve been using: personType resource type - Microsoft Graph v1.0 | Microsoft Learn After some research, I found this blog post that seems to contain relevant information: https://devblogs.microsoft.com/microsoft365dev/people-api-available-in-microsoft-graph-v1/ Is this list still valid? If so, perhaps it could be included directly in the resource type documentation. Thanks
Solved
michalkornet
Iron Contributor
Nov 07, 2025
Microsoft Graph
58Views
0likes
2Comments
Entra Conditional Access Issue
Hi Guys, Our Outlook add-in relies on the Graph API to fetch emails. Due to customer-side Conditional Access (CA) Policies, we are seeing critical failures where Continuous Access Evaluation (CAE) demands user interaction (InteractionRequired code) to resolve challenges like LocationConditionEvaluationSatisfied or TokenCreatedWithOutdatedPolicies. Since this authentication occurs backend-to-Entra, we lack a frontend mechanism to prompt the required user interaction. Is there a recommended pattern, method, or architectural change that allows our backend to redirect or challenge the user for interactive sign-in, thereby satisfying these CAE requirements and unblocking customers? Exact error messages: 1. Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied 2. Continuous access evaluation resulted in challenge with result: InteractionRequired and code: TokenCreatedWithOutdatedPolicies
aniket-kuiri-procore
Copper Contributor
Oct 30, 2025
api
Office Graph
30Views
0likes
0Comments
Unable to authenticate with MSAL using a certificate
Hi guys, I'm using the certificate authentication for my WinForms app to connect to SharePoint and Graph API. I followed this article to create the certificate https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-self-signed-certificate Uploaded the certificate to the App Registration, gave all appropriate permissions. However, when I tried to connect to SharePoint or the Graph API, I got this error A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS700021: Client assertion application identifier doesn't match 'client_id' parameter. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials . Microsoft.Graph.ServiceException: Code: generalException Message: An error occurred sending the request. BUT, this only happened on 1 specific machine running Windows 11 Pro. I tested on 4-5 different machines (both W10 and W11), they didn't get this error. I tried verifying the cert thumbprint which matched the one uploaded on the App Registrations. The certificate is not stored in the machine cert store, I use X509KeyStorageFlags.EphemeralKeySet when calling it. Not sure what else to check.
Solved
Jack_Le_Syn
Copper Contributor
Oct 16, 2025
certificate
developer
GraphAPI
sharepoint
Winforms
198Views
0likes
6Comments
403 Error: Application access policy not found, -Global scope not available in tenant
Hi everyone, I'm trying to use Microsoft Graph API to retrieve online meeting details using an application identity. However, I receive a 403 error with the message: "No application access policy found for this app" I followed the documentation here: Configure application access policy, but I encountered a problem: the -Global scope mentioned in the documentation is not available in my tenant. I’ve successfully granted the policy using the following methods: Option A – Grant to Specific User Grant-CsApplicationAccessPolicy -PolicyName "YOUR_POLICY_NAME" -Identity "email address removed for privacy reasons" Option B – Grant to AD Group New-CsGroupPolicyAssignment -GroupId "YOUR_GROUP_ID" -PolicyType ApplicationAccessPolicy -PolicyName "YOUR_POLICY_NAME" These work fine, and the app can access online meetings for users or groups assigned this way. However, I need to allow the app to access meetings across the organization, and the -Global assignment method is not available in my tenant. Questions: Is there an alternative to -Global for tenant-wide access? Is this limitation expected in certain tenant configurations? Any workaround or best practice for enabling organization-wide access to online meetings via Graph API? Thanks in advance!
David_Chan2255
Copper Contributor
Oct 14, 2025
api
developer
152Views
0likes
4Comments
403 Forbidden when sending mail with app-only token via Microsoft Graph
Hello, I am trying to send emails from my Outlook account using a registered enterprise application in Azure AD. We created an application registration in our tenant, assigned the relevant users, and granted admin consent for these Microsoft Graph application permissions: Mail.Send and Mail.ReadWrite and Mail.Send.Shared. I authenticate with application credentials (client_id, client_secret, tenant_id) and successfully retrieve an app-only access token using MSAL in Python: def get_access_token() -> str: load_dotenv() client_id = os.getenv("CLIENT_ID") client_secret = os.getenv("CLIENT_SECRET") tenant_id = os.getenv("TENANT_ID") authority = f"https://login.microsoftonline.com/{tenant_id}" scopes = ["https://graph.microsoft.com/.default"] # app-only token app = msal.ConfidentialClientApplication( client_id=client_id, client_credential=client_secret, authority=authority ) result = app.acquire_token_for_client(scopes=scopes) if "access_token" not in result: raise RuntimeError(f"Auth failed: {result.get('error_description') or result}") return result["access_token"] The token is retrieved successfully. However, when I try to send an email with: GRAPH_BASE = "https://graph.microsoft.com/v1.0" def send_email(access_token: str, from_user: str, to_address: str, subject: str, body_text: str, save_to_sent: bool = True) -> bool: """ Sends a plain-text email via POST /users/{from_user}/sendMail using an app-only token. Returns True on success; raises HTTPError on failure. """ payload = { "message": { "subject": subject, "body": {"contentType": "Text", "content": body_text}, "toRecipients": [{"emailAddress": {"address": to_address}}], }, "saveToSentItems": bool(save_to_sent), } r = requests.post( f"{GRAPH_BASE}/users/{from_user}/sendMail", headers={"Authorization": f"Bearer {access_token}"}, json=payload, timeout=20, ) r.raise_for_status() return True …I get this error: 403 Client Error: Forbidden for url: https://graph.microsoft.com/v1.0/users/{from_user}/sendMail File "C:\mail\src\mail.py", line 53, in send_email r.raise_for_status() ~~~~~~~~~~~~~~~~~~^^ File "C:\mail\src\mail.py", line 111, in <module> send_email(token, from_user, to, "Hello from Microsoft Graph", "Hello Human") ~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://graph.microsoft.com/v1.0/users/{from_user}/sendMail where {from_user} is my actual mailbox address (e.g., email address removed for privacy reasons). Since the app has Mail.Send (Application) permission with admin consent, my understanding is that the app should be able to send mail on behalf of any user in the tenant using /users/{user}/sendMail. Is there another configuration step I am missing (e.g., Application Access Policy or mailbox-level Send As requirement)? Any guidance on why this 403 happens despite having Mail.Send application permissions with admin consent would be very helpful. Thank you!
rcant
Copper Contributor
Oct 06, 2025
api
developer
graph
Graph API
Office Graph
131Views
0likes
1Comment
Granting App ability to change group memberships by making it an owner?
Hello, We'd like an app to be able to control memberships of only certain security groups using app-based authentication. Today it is documented that a GroupMember.ReadWrite.All role is needed to do this on the app registration: https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http This, however, grants access to the app to make changes to any group. However, we have noticed that API calls to change memberships work on groups owned by the Service Principal. For example, if I make a call to the API below for memberships and the app is assigned as the owner of the group, it works. https://graph.microsoft.com/v1.0/groups/{{group-id}}/members/ Is this a supported mechanism? I don't see it documented anywhere.
Carl_Karawani
Brass Contributor
Sep 25, 2025
api
developer
66Views
0likes
1Comment

Resources

Tags

api242 Topics
Office Graph167 Topics
developer129 Topics
office 36597 Topics
Graph API31 Topics
App30 Topics
Microsoft Graph Api21 Topics
Microsoft Graph20 Topics
graph13 Topics
Delve9 Topics