Entra Conditional Access Issue
Hi Guys, Our Outlook add-in relies on the Graph API to fetch emails. Due to customer-side Conditional Access (CA) Policies, we are seeing critical failures where Continuous Access Evaluation (CAE) demands user interaction (InteractionRequired code) to resolve challenges like LocationConditionEvaluationSatisfied or TokenCreatedWithOutdatedPolicies. Since this authentication occurs backend-to-Entra, we lack a frontend mechanism to prompt the required user interaction. Is there a recommended pattern, method, or architectural change that allows our backend to redirect or challenge the user for interactive sign-in, thereby satisfying these CAE requirements and unblocking customers? Exact error messages: 1. Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied 2. Continuous access evaluation resulted in challenge with result: InteractionRequired and code: TokenCreatedWithOutdatedPolicies
403 Error: Application access policy not found, -Global scope not available in tenant
Hi everyone, I'm trying to use Microsoft Graph API to retrieve online meeting details using an application identity. However, I receive a 403 error with the message: "No application access policy found for this app" I followed the documentation here: Configure application access policy, but I encountered a problem: the -Global scope mentioned in the documentation is not available in my tenant. I’ve successfully granted the policy using the following methods: Option A – Grant to Specific User Grant-CsApplicationAccessPolicy -PolicyName "YOUR_POLICY_NAME" -Identity "email address removed for privacy reasons" Option B – Grant to AD Group New-CsGroupPolicyAssignment -GroupId "YOUR_GROUP_ID" -PolicyType ApplicationAccessPolicy -PolicyName "YOUR_POLICY_NAME" These work fine, and the app can access online meetings for users or groups assigned this way. However, I need to allow the app to access meetings across the organization, and the -Global assignment method is not available in my tenant. Questions: Is there an alternative to -Global for tenant-wide access? Is this limitation expected in certain tenant configurations? Any workaround or best practice for enabling organization-wide access to online meetings via Graph API? Thanks in advance!
403 Forbidden when sending mail with app-only token via Microsoft Graph
Hello, I am trying to send emails from my Outlook account using a registered enterprise application in Azure AD. We created an application registration in our tenant, assigned the relevant users, and granted admin consent for these Microsoft Graph application permissions: Mail.Send and Mail.ReadWrite and Mail.Send.Shared. I authenticate with application credentials (client_id, client_secret, tenant_id) and successfully retrieve an app-only access token using MSAL in Python: def get_access_token() -> str: load_dotenv() client_id = os.getenv("CLIENT_ID") client_secret = os.getenv("CLIENT_SECRET") tenant_id = os.getenv("TENANT_ID") authority = f"https://login.microsoftonline.com/{tenant_id}" scopes = ["https://graph.microsoft.com/.default"] # app-only token app = msal.ConfidentialClientApplication( client_id=client_id, client_credential=client_secret, authority=authority ) result = app.acquire_token_for_client(scopes=scopes) if "access_token" not in result: raise RuntimeError(f"Auth failed: {result.get('error_description') or result}") return result["access_token"] The token is retrieved successfully. However, when I try to send an email with: GRAPH_BASE = "https://graph.microsoft.com/v1.0" def send_email(access_token: str, from_user: str, to_address: str, subject: str, body_text: str, save_to_sent: bool = True) -> bool: """ Sends a plain-text email via POST /users/{from_user}/sendMail using an app-only token. Returns True on success; raises HTTPError on failure. """ payload = { "message": { "subject": subject, "body": {"contentType": "Text", "content": body_text}, "toRecipients": [{"emailAddress": {"address": to_address}}], }, "saveToSentItems": bool(save_to_sent), } r = requests.post( f"{GRAPH_BASE}/users/{from_user}/sendMail", headers={"Authorization": f"Bearer {access_token}"}, json=payload, timeout=20, ) r.raise_for_status() return True …I get this error: 403 Client Error: Forbidden for url: https://graph.microsoft.com/v1.0/users/{from_user}/sendMail File "C:\mail\src\mail.py", line 53, in send_email r.raise_for_status() ~~~~~~~~~~~~~~~~~~^^ File "C:\mail\src\mail.py", line 111, in <module> send_email(token, from_user, to, "Hello from Microsoft Graph", "Hello Human") ~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://graph.microsoft.com/v1.0/users/{from_user}/sendMail where {from_user} is my actual mailbox address (e.g., email address removed for privacy reasons). Since the app has Mail.Send (Application) permission with admin consent, my understanding is that the app should be able to send mail on behalf of any user in the tenant using /users/{user}/sendMail. Is there another configuration step I am missing (e.g., Application Access Policy or mailbox-level Send As requirement)? Any guidance on why this 403 happens despite having Mail.Send application permissions with admin consent would be very helpful. Thank you!Granting App ability to change group memberships by making it an owner?
Hello, We'd like an app to be able to control memberships of only certain security groups using app-based authentication. Today it is documented that a GroupMember.ReadWrite.All role is needed to do this on the app registration: https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http This, however, grants access to the app to make changes to any group. However, we have noticed that API calls to change memberships work on groups owned by the Service Principal. For example, if I make a call to the API below for memberships and the app is assigned as the owner of the group, it works. https://graph.microsoft.com/v1.0/groups/{{group-id}}/members/ Is this a supported mechanism? I don't see it documented anywhere.
Slow download speed using GRAPH api
I wanted to start a little discussion because I can't find any information about my issue with download speed of GRAPH api. So Let's start with some information that I have a python app that connect to my One drive Business. I have there two folders with pdf's one is about 70k and one is 7k. I connect to them successfully. I know that this API has some limitation with the amount it can download on one request but still I think it is not fault but my and lack of knowledge. The biggest problem is when I use some search feature in my app that requires searching a specific file(it just freeze my whole app). I make all communication inside my python code and I don't see any room to further optimization. I will just mention that this is my first time working with API and clearly don't know where to ask for any help.
The requesting principal is not authorized to set group preferred data location
We have our tenant with 4 Geo locations. And inside power automate flow I am sending this Graph Api to create a new security group under specific Geo location:- but I am getting this error:- The requesting principal is not authorized to set group preferred data location. Now if i remove this parameter:- "preferredDataLocation": "AUS", the Office 365 group will get created under the default location, but I need to add it to the specific location. the service account running the graph Api call has SharePoint, group and teams admin permissions. any advice? ThanksShare MS Teams recording with someone using Graph API
Hi, There is a requirement to share MS Teams recordings with the required Azure AD users using Graph API. We a Power Automate flow which runs after the meeting sessions end. The requirement is that all recordings related to the that session should be shared with specified users which many vary based on the session configuration. We have the meeting joining URL and also the meeting ID, long string and not the GUID. We have tried two approaches using the Graph API. 1) using the approach below we were able to get the meeting records https://graph.microsoft.com/v1.0/users/84e35ca5-0000-0000-0000-20ef90928402/onlineMeetings/MSo4NGUzNWNhNS02NjM3LTQ4NGEtYmE5MS0yMGVmOTA5MjgwertyMCoqMTk6bWVldGluZ19OR123TlRZMU0ySXRNRGMzT0MwMFl6SXdMVGhoT0RrdFpHTXlOak5pT0dOa05qVTBAdGhyZWFkLnYy/recordings but this approach is good if you want to get the recording content to copy it to another location, it does not return the OneDrive location. 2) using the following approach we can get the OneDrive path but there is no way to filter the recordings https://graph.microsoft.com/v1.0/drives/b!u_gscMc-uEeF2AgpET9lx123werdOz1Fg_KTQFlVLnYAXRY1W9IKQqzF7v234rW1/root:/Recordings:/children so it is not feasible By using the first approach, we can move the recording to SharePoint and share it from there but considering the recording size, we do not want to use this approach unless there is no other way. Let me know if there is any other way or if i am missing any thing.
Graph API : Authorization_RequestDenied Message: Insufficient privileges to complete the operation.
Hi Team, I have a Graph app and user configured with the following resourceAccess scopes: Code "resourceAccess": [ { "id": "06da0dbc-49e2-44d2-8312-53f166ab848a", "type": "Scope" }, { "id": "9c7a330d-35b3-4aa1-963d-cb2b9f927841", "type": "Scope" }, { "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d", "type": "Scope" }, { "id": "b340eb25-3456-403f-be2f-af7a0d370277", "type": "Scope" } ] However, when trying to pull presence data, I receive the following error in Postman: Code StatusCode: Forbidden Message: Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. Graph Explorer also fails to return presence for a specific user using: https://graph.microsoft.com/beta/users/{user-id}/presence But the endpoint for the signed-in user works fine: https://graph.microsoft.com/beta/me/presence Admin consent has been granted, and even the Global Admin cannot retrieve presence for other users. Other permissions work fine — the app can list users and connect without issue. Presence is the only operation failing. Question: How can I investigate this behavior in Azure/Entra using the request-id or client-request-id from the error response? Or what could cause this behavior? Thanks in advance!
Does Microsoft Graph API Throttle When Triggering More Than 200 On-Demand Remediation Calls?
Hi Everyone, I'm using the following Microsoft Graph API endpoint to trigger proactive remediation scripts on Intune-managed devices: POST https://graph.microsoft.com/beta/deviceManagement/managedDevices/{managedDeviceId}/initiateOnDemandProactiveRemediation My scenario involves triggering this API for around 200+ devices, each with multiple scripts. I have a few concerns and would appreciate some guidance: Are there any throttling limits specific to this endpoint or the Intune service that I should be aware of? If I send 200+ POST requests in a short time window, will I hit rate limits or receive 429 errors? What is the recommended approach to avoid throttling — should I batch requests, add delays, or implement retry logic? Is there any official documentation or best practices for handling bulk remediation triggers? I’ve reviewed the general Microsoft Graph throttling guidance and service-specific throttling limits, but I’m unsure how they apply to this specific endpoint. Any help, examples, or insights would be greatly appreciated! Thanks, Swahela MullaQuery Regarding Duplicate Message IDs from Microsoft Graph API
Hello Microsoft Support Team, I am currently using the Microsoft Graph API to fetch email messages from the inbox of a my support email in my PHP application. However, I am encountering an issue where the API returns duplicate message IDs for emails. This is causing problems as emails with the same id are being processed multiple times, which results in duplicate ticket creation in my CRM system. To avoid this, I am currently checking and skipping duplicate IDs manually in my application. However, I would like to understand the root cause of these duplicates and whether there is an official recommendation or best practice to handle such cases effectively. Here are some additional details: API Endpoint: GET graph.microsoft.com/beta/users/$userEmailEncoded/mailFolders/Inbox/messages?\$top=20&\$orderby=receivedDateTime%20desc Issue: Duplicate message IDs (id) returned for the same email. Current Handling: I am skipping already processed emails using a tracking for message IDs to prevent duplicate ticket creation. Additionally, I have a few more queries regarding the use of internetMessageId and fetching attachments: Problem with internetMessageId: When I use internetMessageId, the internetMessageId of a replied message returns null. How can I use this ID effectively to manage or track message threads and replies? Attachments with internetMessageId: Is it possible to fetch attachments for a message using the internetMessageId? I am trying to retrieve attachments for a specific email using this ID, but I am not sure how to do this efficiently. Could you please advise on the following: Is there a recommended way to handle or filter out duplicate emails when fetching email data from the Graph API? Is there any mechanism in the API to ensure unique messages, especially when calling this endpoint frequently? How can I properly use internetMessageId for tracking message threads and replies, and why is it returning null for replied messages? Can I retrieve attachments using internetMessageId or is there another method for doing so? I would greatly appreciate any guidance or suggestions you can provide. Thank you for your time and assistance. Best regards, Krishna Adroja email address removed for privacy reasons
