403 Forbidden when sending mail with app-only token via Microsoft Graph
Hello, I am trying to send emails from my Outlook account using a registered enterprise application in Azure AD. We created an application registration in our tenant, assigned the relevant users, and granted admin consent for these Microsoft Graph application permissions: Mail.Send and Mail.ReadWrite and Mail.Send.Shared. I authenticate with application credentials (client_id, client_secret, tenant_id) and successfully retrieve an app-only access token using MSAL in Python: def get_access_token() -> str: load_dotenv() client_id = os.getenv("CLIENT_ID") client_secret = os.getenv("CLIENT_SECRET") tenant_id = os.getenv("TENANT_ID") authority = f"https://login.microsoftonline.com/{tenant_id}" scopes = ["https://graph.microsoft.com/.default"] # app-only token app = msal.ConfidentialClientApplication( client_id=client_id, client_credential=client_secret, authority=authority ) result = app.acquire_token_for_client(scopes=scopes) if "access_token" not in result: raise RuntimeError(f"Auth failed: {result.get('error_description') or result}") return result["access_token"] The token is retrieved successfully. However, when I try to send an email with: GRAPH_BASE = "https://graph.microsoft.com/v1.0" def send_email(access_token: str, from_user: str, to_address: str, subject: str, body_text: str, save_to_sent: bool = True) -> bool: """ Sends a plain-text email via POST /users/{from_user}/sendMail using an app-only token. Returns True on success; raises HTTPError on failure. """ payload = { "message": { "subject": subject, "body": {"contentType": "Text", "content": body_text}, "toRecipients": [{"emailAddress": {"address": to_address}}], }, "saveToSentItems": bool(save_to_sent), } r = requests.post( f"{GRAPH_BASE}/users/{from_user}/sendMail", headers={"Authorization": f"Bearer {access_token}"}, json=payload, timeout=20, ) r.raise_for_status() return True …I get this error: 403 Client Error: Forbidden for url: https://graph.microsoft.com/v1.0/users/{from_user}/sendMail File "C:\mail\src\mail.py", line 53, in send_email r.raise_for_status() ~~~~~~~~~~~~~~~~~~^^ File "C:\mail\src\mail.py", line 111, in <module> send_email(token, from_user, to, "Hello from Microsoft Graph", "Hello Human") ~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://graph.microsoft.com/v1.0/users/{from_user}/sendMail where {from_user} is my actual mailbox address (e.g., email address removed for privacy reasons). Since the app has Mail.Send (Application) permission with admin consent, my understanding is that the app should be able to send mail on behalf of any user in the tenant using /users/{user}/sendMail. Is there another configuration step I am missing (e.g., Application Access Policy or mailbox-level Send As requirement)? Any guidance on why this 403 happens despite having Mail.Send application permissions with admin consent would be very helpful. Thank you!
The requesting principal is not authorized to set group preferred data location
We have our tenant with 4 Geo locations. And inside power automate flow I am sending this Graph Api to create a new security group under specific Geo location:- but I am getting this error:- The requesting principal is not authorized to set group preferred data location. Now if i remove this parameter:- "preferredDataLocation": "AUS", the Office 365 group will get created under the default location, but I need to add it to the specific location. the service account running the graph Api call has SharePoint, group and teams admin permissions. any advice? Thanks
Share MS Teams recording with someone using Graph API
Hi, There is a requirement to share MS Teams recordings with the required Azure AD users using Graph API. We a Power Automate flow which runs after the meeting sessions end. The requirement is that all recordings related to the that session should be shared with specified users which many vary based on the session configuration. We have the meeting joining URL and also the meeting ID, long string and not the GUID. We have tried two approaches using the Graph API. 1) using the approach below we were able to get the meeting records https://graph.microsoft.com/v1.0/users/84e35ca5-0000-0000-0000-20ef90928402/onlineMeetings/MSo4NGUzNWNhNS02NjM3LTQ4NGEtYmE5MS0yMGVmOTA5MjgwertyMCoqMTk6bWVldGluZ19OR123TlRZMU0ySXRNRGMzT0MwMFl6SXdMVGhoT0RrdFpHTXlOak5pT0dOa05qVTBAdGhyZWFkLnYy/recordings but this approach is good if you want to get the recording content to copy it to another location, it does not return the OneDrive location. 2) using the following approach we can get the OneDrive path but there is no way to filter the recordings https://graph.microsoft.com/v1.0/drives/b!u_gscMc-uEeF2AgpET9lx123werdOz1Fg_KTQFlVLnYAXRY1W9IKQqzF7v234rW1/root:/Recordings:/children so it is not feasible By using the first approach, we can move the recording to SharePoint and share it from there but considering the recording size, we do not want to use this approach unless there is no other way. Let me know if there is any other way or if i am missing any thing.
Graph API : Authorization_RequestDenied Message: Insufficient privileges to complete the operation.
Hi Team, I have a Graph app and user configured with the following resourceAccess scopes: Code "resourceAccess": [ { "id": "06da0dbc-49e2-44d2-8312-53f166ab848a", "type": "Scope" }, { "id": "9c7a330d-35b3-4aa1-963d-cb2b9f927841", "type": "Scope" }, { "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d", "type": "Scope" }, { "id": "b340eb25-3456-403f-be2f-af7a0d370277", "type": "Scope" } ] However, when trying to pull presence data, I receive the following error in Postman: Code StatusCode: Forbidden Message: Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. Graph Explorer also fails to return presence for a specific user using: https://graph.microsoft.com/beta/users/{user-id}/presence But the endpoint for the signed-in user works fine: https://graph.microsoft.com/beta/me/presence Admin consent has been granted, and even the Global Admin cannot retrieve presence for other users. Other permissions work fine — the app can list users and connect without issue. Presence is the only operation failing. Question: How can I investigate this behavior in Azure/Entra using the request-id or client-request-id from the error response? Or what could cause this behavior? Thanks in advance!
Issue with Downloading Teams Sticker via Graph API - HTTP 400 Bad Request
Hi all, I am encountering an issue when attempting to download a sticker from Microsoft Teams using the Graph API. Below are the details of my request and the problem I am facing: Issue Description: I am using the following API format to download a sticker: GET https://graph.microsoft.com/v1.0/teams/xxx/messages/yyy/hostedContents/zzz/$value The request returns an HTTP 400 Bad Request response. The error details are as follows: { "error": { "code": "BadRequest", "message": "Provided hosted content identifier is invalid." }} Upon decoding zzz part of the API request URL, I obtained the following information: id=,type=1,url=https://us-prod.asyncgw.teams.microsoft.com/v1/url/content?url=https%3a%2f%2fstatic.wixstatic.com%2fmedia%2f4b00a4_e293905cf80f4ba4853c80a0a98dd748~mv2.png From the decoded data, it appears that the id field is empty. I suspect that this might be the reason why I am receiving the HTTP 400 Bad Request response. Questions: Has anyone encountered a similar issue when attempting to download a hosted sticker from Teams via the Graph API? Is there a specific reason why the id field is empty in the decoded content information? How can I resolve this issue and successfully retrieve the sticker content? Any insights or guidance on resolving this issue would be greatly appreciated. Thank you for your support. Best regards, Kein
Mail delivery fail when I Add events to Calendar
Hello I have a Contoso tennant for Developer tasks We are creating one web app for room reservations in a corporation using 365 accounts After some "ok" tests, the reservation has started to fail because the sender has been put in Spam list the fail message email that the sender email account get is Your message wasn't delivered because the recipient's email provider rejected it. Remote server returned '550 5.7.501 Service unavailable. Spam abuse detected from IP range... The api we are using use the calendar var res = await graphClient.Users[currUserId].Calendar.Events .Request() .AddAsync(evento); Any trick to avoid this problem? Thank you in advance Bruno
OneNote Teams Tab created with Graph
Since a couple of weeks, all kinds of weird behaviors occurs with OneNote Teams Tab and Graph: I'm aware of the inability to use App-Only authentication since March 31st. I had to create custom connector in Power Automate to use Delegated permissions and update all my customers flows interacting with OneNote....😠 I'm aware of the latest unsupported use of the configuration contentUrl property when creating OneNote Teams Tab. Here are my major issues I had teams OneNote Tabs created with graph API where the contentUrl was set using the OneNote Site Assets Url (Ex: https://contoso.sharepoint.com/sites/ProjectA/SiteAssets/OneNote-ProjectA). Since a couple of days, these tabs do not work anymore (Can't reach this app...). Lately there was an issue regarding opening OneNote Teams tab but Microsoft says it is fixed.. But I still have the issue. Question: Is the way I set the contenturl for these tabs is the reason why it does not work anymore or shoud it still work? I had to find a way to create and configure OneNote tabs in teams using graph (automated provisionning). I was surprise to make it work using the configuration contentUrl property as it is not supported anymore 😦.... I had to build the url with something like this: "contentUrl" : "https://m365.cloud.microsoft/launch/onenote/officeunihost/teams?auth=2&flight=officeunihost¬ebookSource=Link&oneNoteWebUrl={oneNoteWebUrl-Encoded}¬ebookIsDefault=false&subEntityId={subEntity-Encoded'}&locale={locale}&tid={tid}&upn={userPrincipalName}&groupId={groupId}&theme={theme}&entityId={entityId}&sessionId={sessionId}&ringId={ringId}&teamSiteUrl={teamSiteUrl}&channelType={channelType}&appSessionId={appSessionId}&hostClientType={hostClientType}" Question: Should I avoid this approach to create Teams OneNote tabs? Is there any other options? Thanks!
Getting 403 Unauthorized on Graph API Mail Access (School Project with Consent Given)
Hi everyone, I'm currently working on a school project involving the Microsoft Graph API, and I'm running into an issue. I hope someone in here can help me with it. The project is called Sumday. it’s a concept app that pulls in emails daily from a user's mailbox, summarizes them using the ChatGPT API into a to-do list, and then creates tasks in Microsoft To Do. The goal is to provide users with a daily productivity summary and action plan based on their incoming mail. The issue is this: Even though another user has granted consent to my app registration (via delegated permissions), I receive a 403 Unauthorized error on every API call when trying to read their mailbox. I understand that delegated permissions require the signed-in user to match the mailbox being accessed, but since this is just a school project and not a production application, I’m wondering: Is there any workaround or sandbox approach that allows this kind of delegated access to be simulated? Is the issue caused by Microsoft 365 education/school tenant restrictions? Since I can log in and access my own mailbox just fine, is there a way I can safely test cross-user scenarios for demo purposes? Important note: I did manage to get this working using a Logic App, but that’s not the approach I want to take for this project. My goal is to integrate everything within my own app and codebase, so relying on Logic Apps is more of a temporary workaround rather than a long-term solution. I’m not trying to bypass any limitations just hoping to better understand what’s possible in this context and how I can move forward with developing and testing the core idea. If anyone has insights, experience, or advice on this, I’d really appreciate your help. Thanks in advance! Best, Chris
"User content migrated" Error when Creating OneDrive Webhook Subscription
Dear Microsoft Community, Our application is encountering an undocumented error when attempting to set up a Webhook Subscription to a OneDrive app-root folder (/drive/special/approot). This issue began approximately one day after deployment, following an initial period where the subscription process worked correctly, and has now persisted for several weeks. Here's the full error message: { "error": { "code": "ExtensionError", "message": "Operation: Create; Exception: [Status Code: ServiceUnavailable; Reason: User content migrated. Cannot access disabled item.]", "innerError": { "date": "2025-06-10T10:58:15", "request-id": "edff6dc0-45b7-4e7c-8797-3134ebc6bae4", "client-request-id": "edff6dc0-45b7-4e7c-8797-3134ebc6bae4" } } } Could this error be related to: - The absence of an MPN ID? - The type of Microsoft account used for app registration (personal vs. work account)? Any insights or suggestions would be greatly appreciated!Unexpected 429 Errors from SharePoint /list and /content APIs – Not Near Documented Limits
Hi everyone, I'm currently working with the Microsoft Graph /list API to retrieve files from a SharePoint document library and then using the /content endpoint to download each file. After processing approximately 1000 records, I began receiving 429 Too Many Requests errors. On reviewing the API traffic from my application, I found that we're only making about 150 API calls per minute, which is well below the documented thresholds. According to Microsoft’s guidance on avoiding throttling in SharePoint Online (link to docs), the usage is nowhere near the stated API or egress limits — especially the tenant-level thresholds like 1,200 API calls/min or 100GB/hour egress. What’s puzzling is the lack of transparency — I’m unable to find any dashboards, logs, or reports in Microsoft 365 or Entra that show how many API requests are being made or what limits are being approached. My questions: Are there any hidden or undocumented limits (e.g., per-user, per-app, or per-site collection)? Could /content downloads have higher cost per call or impact the limit differently? Is there any way to monitor detailed API usage against SharePoint or Graph API from the Microsoft portal? Would appreciate any guidance or insights from others who’ve faced similar issues! Thanks in advance!
