Slow UI update for deleted events
I've built an integration that continuously syncs events between an external scheduling system and Exchange Online using Microsoft Graph. I'm observing a recurring issue when deleting calendar events via Graph: A DELETE request to Graph returns success (204 No Content). A subsequent GET /events/{id} returns 404, confirming the event is deleted server-side. However, the event continues to appear in the Outlook UI (both Outlook Web and desktop) for an extended period (sometimes hours), even after page reloads or app restarts. The odd behaviour The event is still displayed in the user interface for up to several hours The event persist through page reloads If the user clicks the event it opens briefly and immediately closes, the event disappears from the UI afterward. Additional details Delete endpoint: /users/{id}/events/{id} Graph response: 204 No Content Verified deletion via GET → 404 Reproduces in both Outlook Web and Outlook desktop Questions Is this a known Outlook client caching or calendar view indexing issue? Is there a way to force client reconciliation after deletes? Are there Graph or Exchange constraints around rapid create/update/delete cycles that could cause this UI inconsistency?
Unable to retrieve all attachments from forwarded Outlook emails using Graph API
We have integrated Outlook with our system using Microsoft Graph API and subscribed to message events. Whenever we receive an event, we process the email message at our end. Currently, we are facing an issue related to attachments in forwarded email conversations. Scenario An email conversation contains multiple replies. Some of these replies contain attachments. When a user forwards the entire email thread, Outlook generates a forwarded email that includes the conversation history in the email body. Problem When we receive the forwarded email event and fetch the message details using the Microsoft Graph API, we observe the following: The forwarded email only contains the latest reply's attachment. Attachments from earlier replies in the thread are not included in the forwarded message attachments. In some cases: The first reply contains an attachment. Subsequent replies do not contain attachments. When the user forwards the email, the forwarded message JSON shows: hasAttachments: false But, the forwarded email body still contains the previous conversation that had attachments. Our Questions Is there a way to retrieve all attachments from the entire email thread when a conversation is forwarded? Can we retrieve these attachments using the current user's access token via Microsoft Graph API? If there is a way, please also let us know how we can identify forwarded emails using the Microsoft Graph API, so that we can apply this solution only for forwarded emails. Our Requirement We need a reliable solution that works in production to ensure that all attachments from the email conversation are retrieved, even when the email thread is forwarded. This issue is currently impacting our production system, so we would greatly appreciate any guidance on the correct approach. Thank you in advance for your support.
How to Retrieve Windows Edition (SKU) from managedDevices API
Hi everyone, I am working with the Microsoft Graph API endpoint /v1.0/deviceManagement/managedDevices to iterate through all devices in a tenant and collect operating system related information. For Windows devices, the operatingSystem field only returns "Windows". However, Windows has multiple editions such as Enterprise, Education, and Pro. For my use case, I need the specific Windows edition. Is it possible to retrieve this information using only the v1.0 endpoint, or is the beta endpoint /beta/deviceManagement/managedDevices/{managedDeviceId} required to get the SKU family? Thanks in advance for your help.
O365 Group email settings
I am in the middle of trying to create some automated routines that create groups in O365 and add/remove members from them as needed. One of things I ran into is that when an email is sent to the group, the emails are not going into each members' inbox and are only visible in Outlook through "Go to groups" in the left hand menu. I can see the settings that need to be set but can't set them because either, A: it just doesn't do it or B: says I don't have permission. Doing this through C# and the Graph SDK The two items I think I need to turn on are below. What permissions are needed to be able to manage those settings but NOT be able to have access to anyone and everyones' email boxes, emails, etc or is there another way to do this? IsSubscribedByMail AutoSubscribeNewMembers
403 Error: Application access policy not found, -Global scope not available in tenant
Hi everyone, I'm trying to use Microsoft Graph API to retrieve online meeting details using an application identity. However, I receive a 403 error with the message: "No application access policy found for this app" I followed the documentation here: Configure application access policy, but I encountered a problem: the -Global scope mentioned in the documentation is not available in my tenant. I’ve successfully granted the policy using the following methods: Option A – Grant to Specific User Grant-CsApplicationAccessPolicy -PolicyName "YOUR_POLICY_NAME" -Identity "email address removed for privacy reasons" Option B – Grant to AD Group New-CsGroupPolicyAssignment -GroupId "YOUR_GROUP_ID" -PolicyType ApplicationAccessPolicy -PolicyName "YOUR_POLICY_NAME" These work fine, and the app can access online meetings for users or groups assigned this way. However, I need to allow the app to access meetings across the organization, and the -Global assignment method is not available in my tenant. Questions: Is there an alternative to -Global for tenant-wide access? Is this limitation expected in certain tenant configurations? Any workaround or best practice for enabling organization-wide access to online meetings via Graph API? Thanks in advance!403 Forbidden when sending mail with app-only token via Microsoft Graph
Hello, I am trying to send emails from my Outlook account using a registered enterprise application in Azure AD. We created an application registration in our tenant, assigned the relevant users, and granted admin consent for these Microsoft Graph application permissions: Mail.Send and Mail.ReadWrite and Mail.Send.Shared. I authenticate with application credentials (client_id, client_secret, tenant_id) and successfully retrieve an app-only access token using MSAL in Python: def get_access_token() -> str: load_dotenv() client_id = os.getenv("CLIENT_ID") client_secret = os.getenv("CLIENT_SECRET") tenant_id = os.getenv("TENANT_ID") authority = f"https://login.microsoftonline.com/{tenant_id}" scopes = ["https://graph.microsoft.com/.default"] # app-only token app = msal.ConfidentialClientApplication( client_id=client_id, client_credential=client_secret, authority=authority ) result = app.acquire_token_for_client(scopes=scopes) if "access_token" not in result: raise RuntimeError(f"Auth failed: {result.get('error_description') or result}") return result["access_token"] The token is retrieved successfully. However, when I try to send an email with: GRAPH_BASE = "https://graph.microsoft.com/v1.0" def send_email(access_token: str, from_user: str, to_address: str, subject: str, body_text: str, save_to_sent: bool = True) -> bool: """ Sends a plain-text email via POST /users/{from_user}/sendMail using an app-only token. Returns True on success; raises HTTPError on failure. """ payload = { "message": { "subject": subject, "body": {"contentType": "Text", "content": body_text}, "toRecipients": [{"emailAddress": {"address": to_address}}], }, "saveToSentItems": bool(save_to_sent), } r = requests.post( f"{GRAPH_BASE}/users/{from_user}/sendMail", headers={"Authorization": f"Bearer {access_token}"}, json=payload, timeout=20, ) r.raise_for_status() return True …I get this error: 403 Client Error: Forbidden for url: https://graph.microsoft.com/v1.0/users/{from_user}/sendMail File "C:\mail\src\mail.py", line 53, in send_email r.raise_for_status() ~~~~~~~~~~~~~~~~~~^^ File "C:\mail\src\mail.py", line 111, in <module> send_email(token, from_user, to, "Hello from Microsoft Graph", "Hello Human") ~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://graph.microsoft.com/v1.0/users/{from_user}/sendMail where {from_user} is my actual mailbox address (e.g., email address removed for privacy reasons). Since the app has Mail.Send (Application) permission with admin consent, my understanding is that the app should be able to send mail on behalf of any user in the tenant using /users/{user}/sendMail. Is there another configuration step I am missing (e.g., Application Access Policy or mailbox-level Send As requirement)? Any guidance on why this 403 happens despite having Mail.Send application permissions with admin consent would be very helpful. Thank you!Granting App ability to change group memberships by making it an owner?
Hello, We'd like an app to be able to control memberships of only certain security groups using app-based authentication. Today it is documented that a GroupMember.ReadWrite.All role is needed to do this on the app registration: https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http This, however, grants access to the app to make changes to any group. However, we have noticed that API calls to change memberships work on groups owned by the Service Principal. For example, if I make a call to the API below for memberships and the app is assigned as the owner of the group, it works. https://graph.microsoft.com/v1.0/groups/{{group-id}}/members/ Is this a supported mechanism? I don't see it documented anywhere.The requesting principal is not authorized to set group preferred data location
We have our tenant with 4 Geo locations. And inside power automate flow I am sending this Graph Api to create a new security group under specific Geo location:- but I am getting this error:- The requesting principal is not authorized to set group preferred data location. Now if i remove this parameter:- "preferredDataLocation": "AUS", the Office 365 group will get created under the default location, but I need to add it to the specific location. the service account running the graph Api call has SharePoint, group and teams admin permissions. any advice? Thanks
