Microsoft Graph topics

Mails with attachments sent via the Graph API are stuck in drafts folder and not being sent

abhaykrishnakasavaraju — Thu, 05 Mar 2026 04:45:22 GMT

Mails being sent via Graph API using the createUploadSession way is keeping the mails in the Drafts folder and not being sent. This was working till mid January. Is there any graph update/ api deprecation that happened recently that is causing the issue?

Is principalId Always a GUID in Microsoft Graph ??

Agathiyan — Fri, 13 Feb 2026 08:32:21 GMT

{

"error": {

"code": "Request_BadRequest",

"message": "Invalid GUID:HR",

"innerError": {

"date": "2026-02-13T06:44:24",

"request-id": "87678d90-1d94-4131-a705-4356ad3568a4",

"client-request-id": "63569c7b-1dea-42d4-8d72-aa3668c78418"

}

We’re encountering an issue with the Microsoft Graph API response for directoryRole

Recently, one of our Graph API calls started returning a response where the principalId value appears to be a custom string instead of the expected GUID. In our code, we loop through each id from the delta response, assuming it will always be a valid GUID. However, we are now getting errors because one of the returned principalId values does not match the expected format.

Our questions:

Is it possible for Microsoft Graph API to return a custom string instead of a GUID for principalId?
Has anyone experienced similar behavior with delta queries for directoryRole or any other object?
Are there any known scenarios where the principalId format differs from the standard GUID?

Any insights would be appreciated.

Microsoft Graph API returns 502 Bad Gateway (UnknownError) when calling List members of a chat

cat2552 — Fri, 06 Feb 2026 06:40:08 GMT

Description:

I am encountering a persistent 502 Bad Gateway error with the UnknownError code when attempting to list members of a specific chat via the Microsoft Graph API v1.0. This issue occurs even though the chat ID is valid and the authorization token has the necessary permissions.

API Endpoint:

GET /v1.0/chats/{chat-id}/members

Steps to Reproduce:

1. Obtain a valid access token with Chat.Read or Chat.ReadWrite permissions.

2. Call the endpoint for a meeting chat:

https://graph.microsoft.com/v1.0/chats/19:meeting_NmU5Yjk3NTAtYTk2ZS00Yzg0LWEyYmQtZTJhMjI4NmJjZmRh@thread.v2/members

3. The API returns a 502 Bad Gateway response.

Debug Information (Request Details):

* Date: 2026-02-06 06:17:55 (GMT)

* Request ID: be906f9e-2108-4722-91b8-ecee8bfb41f0

* Client Request ID: be906f9e-2108-4722-91b8-ecee8bfb41f0

* DataCenter: Germany West Central

* X-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Germany West Central","Slice":"E","Ring":"4","ScaleUnit":"001","RoleInstance":"FR2PEPF0000118F"}}

Raw Response Body:

{

"error": {

"code": "UnknownError",

"message": "Bad Gateway",

"innerError": {

"date": "2026-02-06T06:17:55",

"request-id": "be906f9e-2108-4722-91b8-ecee8bfb41f0",

"client-request-id": "be906f9e-2108-4722-91b8-ecee8bfb41f0"

}

Additional Context:

The connection is established successfully via TLS 1.3, but the upstream server seems to be failing. This happens specifically with meeting-related chat threads. Could you please investigate if there is a service degradation or a specific issue with this chat object in the Germany West Central region?

Intermittent connection failures with login.microsoftonline.com since Jan

vinodivinod — Wed, 04 Feb 2026 15:50:05 GMT

we are getting intermittent connection failures (handshake error http -1) while connecting to token URL -

"login.microsoftonline.com" since last one month. Anything changed as far as accessing this graph API access token URL? tried grabbing certificate from this URL but still the issue persists. which certificate should we be using?

anybody has any insights on this issue?

unable to send notification to teams channel using graph api

maram_akhil_21 — Wed, 04 Feb 2026 07:26:20 GMT

We tried to send notification to teams channel using microsoft graph api via python we can able to send to message to the channel but the notification is not getting triggered in the activity tab we have refered below documentation.

team: sendActivityNotification - Microsoft Graph v1.0 | Microsoft Learn

Also we don't need device authentication and browser authentication please share approach to bypass those things. below is the error we are facing.

raise exc

msgraph.generated.models.o_data_errors.o_data_error.ODataError:

APIError

Code: 403

message: None

error: MainError(additional_data={}, code='Forbidden', details=None, inner_error=InnerError(additional_dmsgraph.generated.models.o_data_errors.o_data_error.ODataError:

APIError

Code: 403

message: None

error: MainError(additional_data={}, code='Forbidden', details=None, inner_error=InnerError(additional_d APIError

Code: 403

message: None

error: MainError(additional_data={}, code='Forbidden', details=None, inner_error=InnerError(additional_d Code: 403

message: None

error: MainError(additional_data={}, code='Forbidden', details=None, inner_error=InnerError(additional_d message: None

error: MainError(additional_data={}, code='Forbidden', details=None, inner_error=InnerError(additional_d error: MainError(additional_data={}, code='Forbidden', details=None, inner_error=InnerError(additional_data={}, client_request_id='________-___-____-____-____________', date=datetime.datetime(2026, 2, 3, 14, 37, 8), odata_type=None, request_id='________-___-____-____-____________'), message="Application with AAD App Id '________-___-____-____-____________' is not authorized to generate notifications about 'https://graph.microsoft.com/v1.0/teams/6a6079bc-feaf-4865-bc21-1201b310c25c' to the recipient. Ensure that the expected Teams app is installed in the target scope (user, team, or chat).", target=None).

Please help us to resolve this issue.

Deleted security groups return "securityEnabled": false, appear as ‘unrecognized’ in Entra admin

soniabouna — Wed, 28 Jan 2026 21:49:12 GMT

When retrieving the list of soft-deleted groups with Graph, both M365 groups and security groups are returned.

However, the securityEnabled flag is returned as false for security groups. Is this a bug?

This likely leads to displaying them in the Entra admin center as 'Unrecognized' type.

Slow UI update for deleted events

devdevdev — Fri, 23 Jan 2026 09:47:14 GMT

I've built an integration that continuously syncs events between an external scheduling system and Exchange Online using Microsoft Graph.

I'm observing a recurring issue when deleting calendar events via Graph:

A DELETE request to Graph returns success (204 No Content).
A subsequent GET /events/{id} returns 404, confirming the event is deleted server-side.
However, the event continues to appear in the Outlook UI (both Outlook Web and desktop) for an extended period (sometimes hours), even after page reloads or app restarts.

The odd behaviour

The event is still displayed in the user interface for up to several hours
The event persist through page reloads
If the user clicks the event it opens briefly and immediately closes, the event disappears from the UI afterward.

Additional details

Delete endpoint:
```
/users/{id}/events/{id}
```
Graph response:
```
204 No Content
```
Verified deletion via GET → 404
Reproduces in both Outlook Web and Outlook desktop

Questions

Is this a known Outlook client caching or calendar view indexing issue?
Is there a way to force client reconciliation after deletes?
Are there Graph or Exchange constraints around rapid create/update/delete cycles that could cause this UI inconsistency?

How to Retrieve Windows Edition (SKU) from managedDevices API

KienQS — Tue, 23 Dec 2025 07:33:16 GMT

Hi everyone,

I am working with the Microsoft Graph API endpoint
/v1.0/deviceManagement/managedDevices
to iterate through all devices in a tenant and collect operating system related information.

For Windows devices, the operatingSystem field only returns "Windows". However, Windows has multiple editions such as Enterprise, Education, and Pro.

For my use case, I need the specific Windows edition. Is it possible to retrieve this information using only the v1.0 endpoint, or is the beta endpoint
/beta/deviceManagement/managedDevices/{managedDeviceId}
required to get the SKU family?

Thanks in advance for your help.

Resource not found while trying to access the available resource

Agathiyan — Mon, 15 Dec 2025 11:41:13 GMT

I am attempting to automate CRUD operations on Microsoft Entra objects using the Microsoft Graph API. However, I am encountering a Resource not found error when accessing a resource programmatically, even though the same resource is accessible without issue when invoking the API endpoint via Postman.

Alias for Refinable Managed Property Not Working in Search Queries

Sean17 — Mon, 15 Dec 2025 08:36:30 GMT

Hi,

The alias for the refinable managed property has worked as expected in sortProperties for the past year, but it has recently stopped working and now returns an error. Using the original managed property name (RefinableDateSingle01) continues to work as expected.

The error is shown below, together with the trace ID. Unfortunately, we are unable to switch to using RefinableDateSingle01 in sortProperties as it does not meet our business requirements.

We are currently facing challenges due to the large number of SharePoint sites, many of which we do not have permission to access. As a result, we can only confirm that the refinable managed property RefinableDateSingle01 and its associated alias are configured correctly on the SharePoint sites where we have full access.

What is the root cause of this issue, and how can it be resolved?

https://graph.microsoft.com/v1.0/search/query

{ "requests": [ { "entityTypes": [ "listItem" ], "query": { "queryString": "* AND SiteId:\"siteId\"" }, "from": 0, "size": 50, "sortProperties": [ { "name": "RefinableDateSingle01", // This works when I use the refinable managed property name (RefinableDateSingle01), but it does not work when I use the alias I defined for this property "isDescending": false } ] } ] }

500 Internal Server Error (When I used alias in sortProperties)

{ "error": { "code": "InternalServerError", "message": "The call failed, please try again.", "target": "", "details": [ { "code": "InternalServerError", "message": "The call failed, please try again.", "target": "", "details": [ { "code": "InternalServerError", "message": "The call failed, please try again.", "target": "", "details": [ { "code": "InternalServerError", "message": "The call failed, please try again.", "target": "", "details": [ { "code": "InternalServerError", "message": "The call failed, please try again.", "target": "", "details": [ { "code": "InternalServerError", "message": "The call failed, please try again.", "target": "", "details": [ { "code": "InternalServerError", "message": "The call failed, please try again.", "target": "", "details": [ { "code": "InternalServerError", "message": "The call failed, please try again.", "target": "", "details": [ { "code": "FanoutDownstreamContradiction", "message": "The call failed, please try again.", "target": "", "details": [ { "code": "TwoStepFanout_FirstStepFailed", "message": "The call failed, please try again.", "target": "", "serviceName": "Xap", "moduleName": "SubstrateSearch.FanoutV2.MultiDimensionSearchFanoutPluginV3", "contactTeam": "3sdri", "httpCode": 500 }, { "code": "FanoutDownstreamContradiction", "message": "The call failed, please try again.", "target": "", "serviceName": "FanoutService", "moduleName": "Fanout", "contactTeam": "3STenantSearchDevs", "httpCode": 500 } ], "serviceName": "FanoutService", "moduleName": "Fanout", "contactTeam": "3STenantSearchDevs", "httpCode": 500 } ], "moduleName": "SubstrateFanoutSearchWorkflow", "httpCode": 500 } ], "moduleName": "AscUserSearchFanoutWorkflowV2", "httpCode": 500 } ], "moduleName": "AscUserSearchFanoutWorkflowV2", "httpCode": 500 } ], "moduleName": "G21AscWorkflow", "httpCode": 500 } ], "moduleName": "TenantFileSearchFederationWorkflow_ASC", "httpCode": 500 } ], "moduleName": "TenantFileSearchFederationWorkflow", "httpCode": 500 } ], "moduleName": "FederationWorkflow", "httpCode": 500 } ], "moduleName": "TopLevelWorkflowBase", "httpCode": 500 }, "Instrumentation": { "TraceId": "57c005b9-07fc-453b-8c73-2650d90670e0" } }

Error while creating Graph API Access token

sanjaychauhan — Thu, 27 Nov 2025 16:59:58 GMT

Hi guys,

I am trying to create an access token for calling Graph API through browser. When I call 'https://login.microsoftonline.com/XXXX-XXXX-XXX-XXX-XXX/oauth2/token' api using AJAX, I receive below error.

Access to XMLHttpRequest at 'https://login.microsoftonline.com/XXXX-XXXX-XXX-XXX-XXX/oauth2/token' from origin 'https://cevalogisticsoffice365.sharepoint.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Please can you provide me why this error is occurring and what is the solution for this.

Regards

Attempt to automate GSA setup in Azure through Graph API

Sjur — Mon, 24 Nov 2025 09:05:21 GMT

Hi,

Using https://developer.microsoft.com/en-us/graph/graph-explorer and signed in as a user with Applications, Network, NetworkPolicy, Global Secure Access Admin roles, I am trying to POST to
https://graph.microsoft.com/beta/networkAccess/connectivity/remoteNetworks
using Payload Body

{

"name": "Hello",

"region": "norwayEast"

}
How come I get the HTTP response code 400 with

"code": "UnknownError",

"message": "{\"error\":\"Invalid request parameters\"}",
?

O365 Group email settings

xxBigbacon — Tue, 18 Nov 2025 13:53:20 GMT

I am in the middle of trying to create some automated routines that create groups in O365 and add/remove members from them as needed. One of things I ran into is that when an email is sent to the group, the emails are not going into each members' inbox and are only visible in Outlook through "Go to groups" in the left hand menu.

I can see the settings that need to be set but can't set them because either, A: it just doesn't do it or B: says I don't have permission.

Doing this through C# and the Graph SDK

The two items I think I need to turn on are below. What permissions are needed to be able to manage those settings but NOT be able to have access to anyone and everyones' email boxes, emails, etc or is there another way to do this?

IsSubscribedByMail

AutoSubscribeNewMembers

Retrieve Item Analytics for Multiple Items

michalkornet — Thu, 13 Nov 2025 08:27:30 GMT

Hi,

our team has noticed that it’s not possible to retrieve analytics when querying a list of items using $expand.

When we run this type of query, we don’t receive an error indicating that it’s not allowed; instead, the analytics property just returns null values.

https://graph.microsoft.com/v1.0/sites/<<SiteId>>/lists/<<ListID>>/items?$expand=fields,analytics($expand=allTime)

However, when we query a single item, everything works as expected.

https://graph.microsoft.com/v1.0/sites/<<SiteId>>/lists/<<ListID>>/items/<<ListID>>/analytics/allTime

Is there a way to retrieve analytics data for multiple items in one request?

Missing types in personType resource type documentation

michalkornet — Fri, 07 Nov 2025 12:15:59 GMT

Hi,

Some time ago, I was working with the Microsoft Graph People endpoint and wanted to filter by personType properties. I’d like to suggest listing all possible values for personType in the documentation for the resource type.

Here’s the documentation I’ve been using:

personType resource type - Microsoft Graph v1.0 | Microsoft Learn

After some research, I found this blog post that seems to contain relevant information: https://devblogs.microsoft.com/microsoft365dev/people-api-available-in-microsoft-graph-v1/

Is this list still valid? If so, perhaps it could be included directly in the resource type documentation.

Thanks

Entra Conditional Access Issue

aniket-kuiri-procore — Thu, 30 Oct 2025 09:07:09 GMT

Hi Guys,
Our Outlook add-in relies on the Graph API to fetch emails. Due to customer-side Conditional Access (CA) Policies, we are seeing critical failures where Continuous Access Evaluation (CAE) demands user interaction (InteractionRequired code) to resolve challenges like LocationConditionEvaluationSatisfied or TokenCreatedWithOutdatedPolicies. Since this authentication occurs backend-to-Entra, we lack a frontend mechanism to prompt the required user interaction. Is there a recommended pattern, method, or architectural change that allows our backend to redirect or challenge the user for interactive sign-in, thereby satisfying these CAE requirements and unblocking customers? Exact error messages: 1. Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied 2. Continuous access evaluation resulted in challenge with result: InteractionRequired and code: TokenCreatedWithOutdatedPolicies

403 Error: Application access policy not found, -Global scope not available in tenant

David_Chan2255 — Mon, 13 Oct 2025 07:11:00 GMT

Hi everyone,

I'm trying to use Microsoft Graph API to retrieve online meeting details using an application identity. However, I receive a 403 error with the message:
"No application access policy found for this app"

I followed the documentation here: Configure application access policy, but I encountered a problem: the -Global scope mentioned in the documentation is not available in my tenant.

I’ve successfully granted the policy using the following methods:

Option A – Grant to Specific User

Grant-CsApplicationAccessPolicy -PolicyName "YOUR_POLICY_NAME" -Identity "email address removed for privacy reasons"

Option B – Grant to AD Group

New-CsGroupPolicyAssignment -GroupId "YOUR_GROUP_ID" -PolicyType ApplicationAccessPolicy -PolicyName "YOUR_POLICY_NAME"

These work fine, and the app can access online meetings for users or groups assigned this way.
However, I need to allow the app to access meetings across the organization, and the -Global assignment method is not available in my tenant.

Questions:

Is there an alternative to -Global for tenant-wide access?
Is this limitation expected in certain tenant configurations?
Any workaround or best practice for enabling organization-wide access to online meetings via Graph API?

Thanks in advance!

Unable to authenticate with MSAL using a certificate

Jack_Le_Syn — Fri, 10 Oct 2025 05:07:54 GMT

Hi guys,

I'm using the certificate authentication for my WinForms app to connect to SharePoint and Graph API. I followed this article to create the certificate Create a self-signed public certificate to authenticate your application - Microsoft identity platform | Microsoft Learn

Uploaded the certificate to the App Registration, gave all appropriate permissions. However, when I tried to connect to SharePoint or the Graph API, I got this error

A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS700021: Client assertion application identifier doesn't match 'client_id' parameter. Review the documentation at https://learn.microsoft.com/entra/identity-platform/certificate-credentials .
Microsoft.Graph.ServiceException: Code: generalException
Message: An error occurred sending the request.

BUT, this only happened on 1 specific machine running Windows 11 Pro. I tested on 4-5 different machines (both W10 and W11), they didn't get this error.

I tried verifying the cert thumbprint which matched the one uploaded on the App Registrations. The certificate is not stored in the machine cert store, I use X509KeyStorageFlags.EphemeralKeySet when calling it. Not sure what else to check.

403 Forbidden when sending mail with app-only token via Microsoft Graph

rcant — Fri, 03 Oct 2025 08:14:20 GMT

Hello,

I am trying to send emails from my Outlook account using a registered enterprise application in Azure AD.

We created an application registration in our tenant, assigned the relevant users, and granted admin consent for these Microsoft Graph application permissions: Mail.Send and Mail.ReadWrite and Mail.Send.Shared.

I authenticate with application credentials (client_id, client_secret, tenant_id) and successfully retrieve an app-only access token using MSAL in Python:

def get_access_token() -> str:
load_dotenv()
client_id = os.getenv("CLIENT_ID")
client_secret = os.getenv("CLIENT_SECRET")
tenant_id = os.getenv("TENANT_ID")

authority = f"https://login.microsoftonline.com/{tenant_id}"
scopes = ["https://graph.microsoft.com/.default"] # app-only token
app = msal.ConfidentialClientApplication(
client_id=client_id,
client_credential=client_secret,
authority=authority
)
result = app.acquire_token_for_client(scopes=scopes)

if "access_token" not in result:
raise RuntimeError(f"Auth failed: {result.get('error_description') or result}")
return result["access_token"]

The token is retrieved successfully. However, when I try to send an email with:

GRAPH_BASE = "https://graph.microsoft.com/v1.0"
def send_email(access_token: str, from_user: str, to_address: str, subject: str, body_text: str, save_to_sent: bool = True) -> bool:
"""
Sends a plain-text email via POST /users/{from_user}/sendMail using an app-only token.
Returns True on success; raises HTTPError on failure.
"""
payload = {
"message": {
"subject": subject,
"body": {"contentType": "Text", "content": body_text},
"toRecipients": [{"emailAddress": {"address": to_address}}],
},
"saveToSentItems": bool(save_to_sent),
}
r = requests.post(
f"{GRAPH_BASE}/users/{from_user}/sendMail",
headers={"Authorization": f"Bearer {access_token}"},
json=payload,
timeout=20,
)
r.raise_for_status()
return True

…I get this error:

403 Client Error: Forbidden for url: https://graph.microsoft.com/v1.0/users/{from_user}/sendMail
File "C:\mail\src\mail.py", line 53, in send_email r.raise_for_status() ~~~~~~~~~~~~~~~~~~^^ File "C:\mail\src\mail.py", line 111, in <module> send_email(token, from_user, to, "Hello from Microsoft Graph", "Hello Human") ~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://graph.microsoft.com/v1.0/users/{from_user}/sendMail

where {from_user} is my actual mailbox address (e.g., email address removed for privacy reasons).

Since the app has Mail.Send (Application) permission with admin consent, my understanding is that the app should be able to send mail on behalf of any user in the tenant using /users/{user}/sendMail.

Is there another configuration step I am missing (e.g., Application Access Policy or mailbox-level Send As requirement)? Any guidance on why this 403 happens despite having Mail.Send application permissions with admin consent would be very helpful.

Thank you!

Granting App ability to change group memberships by making it an owner?

Carl_Karawani — Thu, 25 Sep 2025 14:29:09 GMT

Hello,

We'd like an app to be able to control memberships of only certain security groups using app-based authentication.

Today it is documented that a GroupMember.ReadWrite.All role is needed to do this on the app registration:
https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http

This, however, grants access to the app to make changes to any group.

However, we have noticed that API calls to change memberships work on groups owned by the Service Principal.

For example, if I make a call to the API below for memberships and the app is assigned as the owner of the group, it works.

https://graph.microsoft.com/v1.0/groups/{{group-id}}/members/

Is this a supported mechanism? I don't see it documented anywhere.