403 Forbidden when sending mail with app-only token via Microsoft Graph
Hello, I am trying to send emails from my Outlook account using a registered enterprise application in Azure AD. We created an application registration in our tenant, assigned the relevant users, and granted admin consent for these Microsoft Graph application permissions: Mail.Send and Mail.ReadWrite and Mail.Send.Shared. I authenticate with application credentials (client_id, client_secret, tenant_id) and successfully retrieve an app-only access token using MSAL in Python: def get_access_token() -> str: load_dotenv() client_id = os.getenv("CLIENT_ID") client_secret = os.getenv("CLIENT_SECRET") tenant_id = os.getenv("TENANT_ID") authority = f"https://login.microsoftonline.com/{tenant_id}" scopes = ["https://graph.microsoft.com/.default"] # app-only token app = msal.ConfidentialClientApplication( client_id=client_id, client_credential=client_secret, authority=authority ) result = app.acquire_token_for_client(scopes=scopes) if "access_token" not in result: raise RuntimeError(f"Auth failed: {result.get('error_description') or result}") return result["access_token"] The token is retrieved successfully. However, when I try to send an email with: GRAPH_BASE = "https://graph.microsoft.com/v1.0" def send_email(access_token: str, from_user: str, to_address: str, subject: str, body_text: str, save_to_sent: bool = True) -> bool: """ Sends a plain-text email via POST /users/{from_user}/sendMail using an app-only token. Returns True on success; raises HTTPError on failure. """ payload = { "message": { "subject": subject, "body": {"contentType": "Text", "content": body_text}, "toRecipients": [{"emailAddress": {"address": to_address}}], }, "saveToSentItems": bool(save_to_sent), } r = requests.post( f"{GRAPH_BASE}/users/{from_user}/sendMail", headers={"Authorization": f"Bearer {access_token}"}, json=payload, timeout=20, ) r.raise_for_status() return True …I get this error: 403 Client Error: Forbidden for url: https://graph.microsoft.com/v1.0/users/{from_user}/sendMail File "C:\mail\src\mail.py", line 53, in send_email r.raise_for_status() ~~~~~~~~~~~~~~~~~~^^ File "C:\mail\src\mail.py", line 111, in <module> send_email(token, from_user, to, "Hello from Microsoft Graph", "Hello Human") ~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://graph.microsoft.com/v1.0/users/{from_user}/sendMail where {from_user} is my actual mailbox address (e.g., email address removed for privacy reasons). Since the app has Mail.Send (Application) permission with admin consent, my understanding is that the app should be able to send mail on behalf of any user in the tenant using /users/{user}/sendMail. Is there another configuration step I am missing (e.g., Application Access Policy or mailbox-level Send As requirement)? Any guidance on why this 403 happens despite having Mail.Send application permissions with admin consent would be very helpful. Thank you!
Change Teams Meeting Options (Who can bypass lobby) via Graph API
I would like to change the who can bypass lobby meeting options of teams meeting via power automate using graph api. So, I checked the meeting options via teams user interface like below first photo. Then I tried to apply this configuration on power automate via graph. So, I checked the documentation of Update Event for Teams meeting as recommended the link following: https://docs.microsoft.com/en-us/graph/api/onlinemeeting-update?view=graph-rest-1.0&tabs=http But there is not any options to restrict the user outside of my organization like the parameter "People in my organization" in the teams meeting options user interface for lobbybyPassSettings parameter. I checked how the lobbybypassSettings gets the value if the who can bypass lobby parameter has been set via teams meeting options user interface via powerautomate. It sets this parameter as "unknownFutureValue". But when I checked the documentation, Microsoft does't recommend this value to set.
Microsoft Graph API : Some attributes are null when filtering by signInActivity/lastSignInDateTime
Hi. I have trouble retrieving the user's givenName and surname using Microsoft Graph API together with filtering using signInActivity/lastsignInDateTime. Here is the url I'm using: const graphUsersUrl = "https://graph.microsoft.com/V1.0/users?$top=999&$filter=signInActivity/lastSignInDateTime ge 2025-06-24T14:45:15Z and signInActivity/lastSignInDateTime le 2025-06-25T14:45:15Z&$select=id,givenName,surname,identities,signInActivity"; function mapUserEmails(userData: Array<any>) { return userData.map((userInstance) => { console.log(userInstance.givenName); return { userId: userInstance.id, givenName: userInstance.givenName, lastName: userInstance.surname, issuerAssignedId: userInstance.issuerAssignedId, userEmail: ( userInstance.identities as Array<{ signInType: string; issuerAssignedId: string; }> ).find((userIdentity) => userIdentity.signInType === "emailAddress") ?.issuerAssignedId, lastSignInDateTime: userInstance.signInActivity?.lastSignInDateTime, }; }); } In the returned result, the userId and lastSignInDateTime have values, but givenName and lastName are null. How can I get the values for givenName and surname? Any help is appreciated.
Microsoft Graph API: Outlook Contact NOT Permanently Deleted with PermanentDelete.PostAsync()
I'm encountering an issue when attempting to permanently delete an Outlook contact using the Microsoft Graph API. The contact was previously inserted without any problems via the API, and I also assigned a profile picture to it, uploaded via the API. Contact? contactAdded = await _graphClient.Users["{user-id}"] .ContactFolders["{folder-id}"] .Contacts.PostAsync(contactToBeAdd, cancellationToken: cancelToken); I'm using the PermanentDelete endpoint as described in the Microsoft Graph documentation: https://learn.microsoft.com/en-us/graph/api/contact-permanentdelete?view=graph-rest-1.0&tabs=http My C# code looks like this: await graphClient.Users["{user-id}"].ContactFolders["{folder-id}"].Contacts["{contact-id}"].PermanentDelete.PostAsync(); The code executes successfully without throwing any exceptions. However, when I check the Outlook application (desktop or web), the contact still exists. It appears that almost all of the contact's information has been deleted, but the contact itself remains visible and still appears in searches. Has anyone else experienced this issue and can suggest a solution or an alternative approach to permanently delete Outlook contacts using the Graph API? Thanks in advance for any help.Status code keep changing after every query (404 & 200)
I am using the graph api to get the folders under my OneDrive root directory but the result is different in every run (most of the time failing). I have given it the Files.Read and Files.ReadWrite permission. This happened after I changed my microsoft password, but changing it again doesn't fix the issue. The query: https://graph.microsoft.com/v1.0/me/drive/root/children?%24select=name%2C%20id The screen recording: https://youtu.be/NIaz0Q37osg Timestamp: 0:00 - 0:13: 404 Not found error 0:16 - 0:26: 200 Files are found correctly 0:27 - 0:32: 404 Not found error again, without changing the query
Approvals Not updating
I'm having a problem when retrieving the approvals created. Until 2024-12-26 at 13:16:48 UTC, when I created an approval, either through the application or through the API, it immediately appeared when I used get in the endpoint: https://graph.microsoft.com/beta/solutions/approval/approvalItems. Now I'm only able to see the approvals from before 2024-12-26 at 13:16:48 UTC, there is no record of the new approvals. I also noticed that, in the application, it's not showing the name of the person to whom the approval request was sent, only the name of the person who approved it, both for the new requests and for the old requests that have already been completed.
Sharepoint Lists: Format for POST Request to create Column as Choice with Multi Select Enabled
I am relatively new in using the Graph API. I am working on a script that creates new columns for an existing List on my company's SharePoint site. I am having trouble in creating a Choice Field Column that has Multiple Selection Enabled. I followed the documentation to create a Choice Field with the default (single select) as follows: const apiUrl = `https://graph.microsoft.com/v1.0/sites/${siteId}/lists/${listId}/columns`; const response = await fetch(apiUrl, { method: "POST", headers: { Authorization: `Bearer ${accessToken}`, "Content-Type": "application/json", }, body: JSON.stringify(columnPayload), }); Where, columnPayload looks like the following: { "name": "Color", "choice": { "choices": ["Red", "Green", "Blue", "Purple"], "displayAs": "dropDownMenu" } } As expected I see the column created properly.... (Split bottom photo for cleaner view) Now, what changes must I make to have the Allow Multiple Selections toggle enabled when creating the column via the POST request. As we can see, by default, it is not enabled. I have looked over the documentation and have yet to come across anything that provides a solution. I assumed there would be additional fields within the "choice" field in the JSON body to specify this, however, I only see the following on the graph api site: I would appreciate any guidance on this.Using microsoft graph to pull calendar data weekly
Hello- I've building an app that requests calendar access from users with Graph API. I am hoping to request permissions once and then pull calendar data weekly but I'm not sure if this is possible. I'm using the python ms-graph sdk and the interactive authentication client to request access. I am seeing some things about offline_access scope providing a refresh token but unsure how it works and the docs I found haven't been helpful. Any help would be appreciated!How to revoke consent for a registered app programmatically?
Hello, I've been struggling with this issue for days. Tried many different endpoints and mostly got back cryptic errors only. Overall, zero progress. So, I really hope that someone here can help me out. I have a very simple application where users can sync their calendars and also receive new events directly into the calendar. I acquire "Calendars.ReadWrite, offline_access, User.Read" delegated permissions interactively. When the users decide to stop using my application, they can "unlink" and I will drop all the events, hooks, etc. What I am trying to achieve is that my third-party app would also disappear from the list of apps presented here: https://account.live.com/consent/Manage. In other words, a complete cleanup, revoking any access permissions, dropping all tokens, etc. It seems a very basic scenario. Google Calendar has a simple endpoint that can do exactly that: https://oauth2.googleapis.com/revoke?token=<TOKEN>. What am I missing? How can I do that? I am running out of ideas about what I can do with revokeSignInSessions and oAuth2PermissionGrant; it seems like I tried everything and nothing worked. It must be a common requirement, no? Thanks for reading this post! Any help is appreciated. Regards,
Get users with specified app roles
I have a question about the Graph API. I need to download all users who have been assigned the app role "Role" in "ApplicationA". I need it to download all users with the required app role to send an email. I have tried various ways, through the list of users using the following API: https://graph.microsoft.com/v1.0/users?$expand=appRoleAssignments&$count=true&$filter=appRoleAssignments/any(w:w/appRoleId eq {guid}) However this returns the following error, I have of course tried similar options. { "error": { "code": "Request_UnsupportedQuery", "message": "Property 'appRoleId' does not exist as a declared property or extension property.", "innerError": { "date": "2024-02-28T20:49:49", "request-id": "bf8991a4-82e9-4136-9664-1cebc1718ae0", "client-request-id": "bf8991a4-82e9-4136-9664-1cebc1718ae0" } } } I also tried using servicePrincipals. But this returns all users/applications assigned to the service principal and not just the role I need, and the filtering I tried with OData didn't work. Many items is downloaded: https://graph.microsoft.com/v1.0/servicePrincipals(appId='{guid}')/appRoleAssignedTo Do you know of a better solution? Thanks
