Forum Discussion
Getting 403 Unauthorized on Graph API Mail Access (School Project with Consent Given)
Hi everyone,
I'm currently working on a school project involving the Microsoft Graph API, and I'm running into an issue. I hope someone in here can help me with it.
The project is called Sumday. it’s a concept app that pulls in emails daily from a user's mailbox, summarizes them using the ChatGPT API into a to-do list, and then creates tasks in Microsoft To Do. The goal is to provide users with a daily productivity summary and action plan based on their incoming mail.
The issue is this:
Even though another user has granted consent to my app registration (via delegated permissions), I receive a 403 Unauthorized error on every API call when trying to read their mailbox. I understand that delegated permissions require the signed-in user to match the mailbox being accessed, but since this is just a school project and not a production application, I’m wondering:
- Is there any workaround or sandbox approach that allows this kind of delegated access to be simulated?
- Is the issue caused by Microsoft 365 education/school tenant restrictions?
- Since I can log in and access my own mailbox just fine, is there a way I can safely test cross-user scenarios for demo purposes?
Important note:
I did manage to get this working using a Logic App, but that’s not the approach I want to take for this project. My goal is to integrate everything within my own app and codebase, so relying on Logic Apps is more of a temporary workaround rather than a long-term solution.
I’m not trying to bypass any limitations just hoping to better understand what’s possible in this context and how I can move forward with developing and testing the core idea.
If anyone has insights, experience, or advice on this, I’d really appreciate your help.
Thanks in advance!
Best,
Chris
4 Replies
Hi VasilMichev,
Thanks again for your help so far.
I’ve configured the delegated Microsoft Graph permissions in my Azure AD app registration (Mail.Read, Mail.Read.Shared, and User.Read) and granted consent, but I’m still getting a 403 Unauthorized response when I try to access mailboxes — both within my own tenant and across external tenants.
Could this be related to Publisher Verification, as described in Microsoft’s documentation?
https://learn.microsoft.com/en-us/entra/identity-platform/publisher-verification-overview
Is there any way to access external tenant mailboxes without Publisher Verification — for example, if the external user explicitly consents, or if specific cross-tenant permissions are configured? Also, could my Microsoft 365 student license be a limiting factor in this scenario?
Any clarification would be greatly appreciated.
Best regards,
Chris
If you are running the code via delegate permissions, you will only have access to resources the current users has. This includes his own mailbox, and any mailboxes for which he has been granted delegate permissions in Exchange Online, but for the latter you do need consent for Mail.Read.Shared as well.
Hi VasilMichev,
First of all thanks for your help so far.
Just to clarify, I've attached a screenshot from my azure AD app registration, showing that the necessary delagated Microsoft Graph permissions are already configured and granted (Including Mail.Read, Mail.Read.Shared and User.Read). Despite this, I'm still receiving a 403 Unauthorized response when trying ot access mailboxes outside my own tenant....
Could this issue be related to Publisher Verfication, as outlined in Microsoft's documentation here?
https://learn.microsoft.com/en-us/entra/identity-platform/publisher-verification-overview?utm_source=chatgpt.com
Also, is there any way to access external tenant mailboxes without publisher verifcation, for example by havimng the external user explicity consent, by inviting the external user into my tenant?
Any clarification would be greatly appreciated!
Best regards,
ChrisIf the idea is to access mailboxes in other tenants, your app must be registered as multi-tenant one, and yes, the publisher verification process can be a blocker for that. An admin from the other organization can still grant consent, but end users will not. The screenshot only tells us the situation in your tenant, not the "customer" one. Make sure consent has been granted on that end, and the permissions are correctly reflected in the access token.
Inviting the external user won't help, as mailbox access only works within a tenant.
