Use Outlook REST API to send email failed when using App-only token.

Frank Chen
Occasional Contributor

I am trying to use outlook REST API to send email by using app-only token and got the following exception.

"x-ms-diagnostics: 2000008;reason="The token contains no permissions, or permissions can not be understood.";error_category="invalid_grant""

the following steps is the one I did

create a Azure AD app to update "keyCredentials" section for certificate informaiton in manifest file.

configure "O365 exchange online" to have "send email as any user" for "Application Permissions" 

run the following code:

        private async static Task SendEamil()
            //string tenantId = "";
            //string clientId = "your client id";
            //string resourceId = "";
            //string resourceUrl = ""; //this is your on-behalf user's UPN
            //string authority = String.Format("{0}", tenantId);
            //string certficatePath = @"c:\test.pfx"; //this is your certficate location.
            //string certificatePassword = "xxxx"; // this is your certificate password
            //read Azure Ad setting from a file. 
            string settingJson = String.Format("{0}\\setting.settingjson", AppDomain.CurrentDomain.BaseDirectory);
            AzureAdSetting setting = AzureAdSetting.CreateInstance(settingJson);

            var itemPayload = new
                Message = new
                    Subject = "Test email",
                    Body = new { ContentType = "Text", Content = "this is test email." },
                    ToRecipients = new[] { new { EmailAddress = new { Address = setting.SendEmail } } }

            //if you need to load from certficate store, use different constructors. 
            X509Certificate2 certificate = new X509Certificate2(setting.CertficatePath, setting.CertificatePassword, X509KeyStorageFlags.MachineKeySet);
            AuthenticationContext authenticationContext = new AuthenticationContext(setting.Authority, true);
            ClientAssertionCertificate cac = new ClientAssertionCertificate(setting.ClientId, certificate);

            //get the access token to Outlook using the ClientAssertionCertificate
            var authenticationResult = await authenticationContext.AcquireTokenAsync(setting.ResourceId, cac);
            string token = authenticationResult.AccessToken;

            //initialize HttpClient for REST call
            HttpClient client = new HttpClient();
            client.DefaultRequestHeaders.Add("Authorization", "Bearer " + token);
            client.DefaultRequestHeaders.Add("Accept", "application/json");

            //setup the client post
            HttpContent content = new StringContent(JsonConvert.SerializeObject(itemPayload));
            //Specify the content type. 
            content.Headers.ContentType = MediaTypeHeaderValue.Parse("application/json;odata=verbose");
            HttpResponseMessage result = await client.PostAsync(setting.ResourceUrl, content);
            if (result.IsSuccessStatusCode)
                //email send successfully.
                Console.WriteLine("Email sent successfully. ");
                //email send failed. check the result for detail information from REST api.
                Console.WriteLine("Email sent failed. Error: {0}", await result.Content.ReadAsStringAsync());


The weird thing I found out was that I tried above steps and code in my personal O365 tenant and it works. Just wondering if anyone know any configures we need to turn on in O365 central admin to allow Outlook REST API access via app-only token.


3 Replies

Mail.Send in App-only requires Admin Consent. (


You can request admin consent by pasking &prompt=admin_consent to the authorize endpoint.

Thanks for your note, Paul. I realized that the admin consent is required for the Azure Ad App created by non-admin like regular develoers. I also found out that there is a button call "Grant Permission" right beside "add" button at "Application Permission" slab in new Azure AD preivew portal. When admin click that button, it actually consent the permission. I wasn't able to find the detail document to explain what that button means from Azure AD portal. this button actually solved my issues.

Ah,yes. For a single tenant application, the portal approach is fine. My approach works for multi-tenant.


P.S. Those things in the portal are called a "blade"  :)

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
36 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies