Forum Discussion
Getting 403 Unauthorized on Graph API Mail Access (School Project with Consent Given)
If you are running the code via delegate permissions, you will only have access to resources the current users has. This includes his own mailbox, and any mailboxes for which he has been granted delegate permissions in Exchange Online, but for the latter you do need consent for Mail.Read.Shared as well.
Hi VasilMichev,
First of all thanks for your help so far.
Just to clarify, I've attached a screenshot from my azure AD app registration, showing that the necessary delagated Microsoft Graph permissions are already configured and granted (Including Mail.Read, Mail.Read.Shared and User.Read). Despite this, I'm still receiving a 403 Unauthorized response when trying ot access mailboxes outside my own tenant....
Could this issue be related to Publisher Verfication, as outlined in Microsoft's documentation here?
https://learn.microsoft.com/en-us/entra/identity-platform/publisher-verification-overview?utm_source=chatgpt.com
Also, is there any way to access external tenant mailboxes without publisher verifcation, for example by havimng the external user explicity consent, by inviting the external user into my tenant?
Any clarification would be greatly appreciated!
Best regards,
Chris
If the idea is to access mailboxes in other tenants, your app must be registered as multi-tenant one, and yes, the publisher verification process can be a blocker for that. An admin from the other organization can still grant consent, but end users will not. The screenshot only tells us the situation in your tenant, not the "customer" one. Make sure consent has been granted on that end, and the permissions are correctly reflected in the access token.
Inviting the external user won't help, as mailbox access only works within a tenant.