Teams channel messages delta API returns HTTP 400 BadRequest
Hello, We are encountering an unexpected error when calling the Microsoft Graph API endpoint: /teams/{team-id}/channels/{channel-id}/messages/delta This happens consistently for a specific Teams channel, which prevent us from retrieving incremental message updates using the delta query. Request URL: https://graph.microsoft.com/v1.0/teams/{team-id}/channels/{channel-id}/messages/delta?$deltatoken=<redacted-deltatoken> Error Response: HTTP 400 { "error": { "code": "BadRequest", "innerError": { "client-request-id": "<redacted>", "date": "2025-10-07T06:32:56", "request-id": "<redacted>" }, "message": "UnknownError" } } Steps already tried (unsuccessful): Start a fresh delta query without the $deltatoken to obtain a new valid token Use the beta endpoint: https://graph.microsoft.com/beta/teams/{team-id}/channels/{channel-id}/message/delta Additional observation: If we add a filter condition such as ?$filter=lastModifiedDateTime gt <some-timestamp> to skip messages before a certain time, the query works normally. This suggests that there may be one or more problematic messages within a specific time range that cause the API to fail with BadRequest. Questions: Is this a known issue with the Teams channel messages delta API? Are there any recommended workarounds to avoid this error? Thank you.
403 Forbidden when sending mail with app-only token via Microsoft Graph
Hello, I am trying to send emails from my Outlook account using a registered enterprise application in Azure AD. We created an application registration in our tenant, assigned the relevant users, and granted admin consent for these Microsoft Graph application permissions: Mail.Send and Mail.ReadWrite and Mail.Send.Shared. I authenticate with application credentials (client_id, client_secret, tenant_id) and successfully retrieve an app-only access token using MSAL in Python: def get_access_token() -> str: load_dotenv() client_id = os.getenv("CLIENT_ID") client_secret = os.getenv("CLIENT_SECRET") tenant_id = os.getenv("TENANT_ID") authority = f"https://login.microsoftonline.com/{tenant_id}" scopes = ["https://graph.microsoft.com/.default"] # app-only token app = msal.ConfidentialClientApplication( client_id=client_id, client_credential=client_secret, authority=authority ) result = app.acquire_token_for_client(scopes=scopes) if "access_token" not in result: raise RuntimeError(f"Auth failed: {result.get('error_description') or result}") return result["access_token"] The token is retrieved successfully. However, when I try to send an email with: GRAPH_BASE = "https://graph.microsoft.com/v1.0" def send_email(access_token: str, from_user: str, to_address: str, subject: str, body_text: str, save_to_sent: bool = True) -> bool: """ Sends a plain-text email via POST /users/{from_user}/sendMail using an app-only token. Returns True on success; raises HTTPError on failure. """ payload = { "message": { "subject": subject, "body": {"contentType": "Text", "content": body_text}, "toRecipients": [{"emailAddress": {"address": to_address}}], }, "saveToSentItems": bool(save_to_sent), } r = requests.post( f"{GRAPH_BASE}/users/{from_user}/sendMail", headers={"Authorization": f"Bearer {access_token}"}, json=payload, timeout=20, ) r.raise_for_status() return True …I get this error: 403 Client Error: Forbidden for url: https://graph.microsoft.com/v1.0/users/{from_user}/sendMail File "C:\mail\src\mail.py", line 53, in send_email r.raise_for_status() ~~~~~~~~~~~~~~~~~~^^ File "C:\mail\src\mail.py", line 111, in <module> send_email(token, from_user, to, "Hello from Microsoft Graph", "Hello Human") ~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://graph.microsoft.com/v1.0/users/{from_user}/sendMail where {from_user} is my actual mailbox address (e.g., email address removed for privacy reasons). Since the app has Mail.Send (Application) permission with admin consent, my understanding is that the app should be able to send mail on behalf of any user in the tenant using /users/{user}/sendMail. Is there another configuration step I am missing (e.g., Application Access Policy or mailbox-level Send As requirement)? Any guidance on why this 403 happens despite having Mail.Send application permissions with admin consent would be very helpful. Thank you!
MS Graph Device OS Reporting
On the Intune android device view, the OS is listed as ‘Android (fully managed)’ or ‘Android (corporate-owned work profile)’. The MS Graph command get-mgdevicemanagement just has ‘Android’ for the OS attribute. Using MS Graph, does anyone know how or where to get the ‘Android (corporate-owned work profile)’ value that shows in the device view?Create bookingStaffMember also requires Add-MailboxPermission
I created an Entra application with the required Graph permissions to manage Bookings scheduling mailboxes so that I could update the staffing for a Bookings page that I'm not a staff member of. Using that application to request a Microsoft Graph access token, meant I had the required permissions to add a user account (that already had a Bookings license) as an "administrator" (role) for a Bookings page (Bookings business), to replace another person who was the previous Bookings page administrator, but who had since left. I used https://learn.microsoft.com/en-us/graph/api/bookingbusiness-post-staffmembers?view=graph-rest-1.0&tabs=powershell to do this. For the record, I was not able to do this using https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.bookings/new-mgbookingbusinessstaffmember?view=graph-powershell-1.0 using Microsoft.Graph.Bookings module version 2.30.0, presumably because I am not a staff member with the Bookings "administrator" role for that particular Bookings page. However, the newly added user could not access that Bookings page at https://outlook.office.com/bookings/homepage until a further step had been completed (Error: "You don't have access to this booking page" shows instead). To ensure the new Bookings page administrator could access the Bookings page, I needed to add mailbox permissions, which I used https://learn.microsoft.com/en-us/powershell/module/exchangepowershell/add-mailboxpermission?view=exchange-ps for. I found that giving the new Bookings page administrator full access to the scheduling mailbox ensured they could access the Bookings page. Example using ExchangeOnlineManagement PowerShell module: Add-MailboxPermission -Identity email address removed for privacy reasons -User email address removed for privacy reasons -AccessRights FullAccess If there is a more efficient way for an system admin to add new staff to a Bookings page, please let me know - otherwise, hopefully this helps someone who gets stuck 😊Intune Assignment Checker - Get All Assigned Policies, Profiles and Applications
Hello everyone, I published a script that will provide a detailed overview of assigned Intune Configuration Profiles, Compliance Policies, and Applications for user, groups and devices. I have also added a option that will list all Assignments to "All users" and "All devices". Download and Setup Guide: https://intuneassignmentchecker.ugurkoc.de/ I hope that this little script will be helpful for you 🙂 Best regards UgurMicrosoft Graph - List apps in chat - 404 UnknownError
In Microsoft Graph, I would like to list all Teams apps associated to an onlineMeeting (to its chat actually). According to List apps in chat - Microsoft Graph v1.0 | Microsoft Learn, this is supported with the following request : GET /chats/{chat-id}/installedApps There is a note saying that if the chat is associated with an onlineMeeting instance, then, effectively, the teamsApps installed in the meeting will be listed. That should work. However, I'm getting a 404 with UnknownError as the error.code on my end. The right permission (TeamsAppInstallation.ReadWriteForChat) is granted (Chat.ReadWrite is granted as well). Testing from Graph Explorer from now. Please note that the following is working to get chat messages with the same chat-id : GET /chats/{chat-id}/messages or the following to get chat members : GET /chats/{chat-id}/members I've tried the endpoint POST /chats/{chat-id}/installedApps to add an app to the chat as well but I'm getting the same kind of 404 (documented on Add app to chat - Microsoft Graph v1.0 | Microsoft Learn). Any advice? ThanksHow to deploy M365 Companion app through Intune
Hi All, I have a requirement of deploying M365 companion app to a few users in the company. However, when I tried with Win32 apps in Intune, it gets failed every time even though the scripts success manually. Does anyone know how to deploy M365 companion app from Intune? I have downloaded the app from below link and used the below command: https://learn.microsoft.com/en-us/microsoft-365-apps/companions/overview#set-up-the-companion-apps Echo OFF m365companionsetup.exe /quiet Thanks in advanced, Dilan
Graph API 1.0 - Listing lists doesn't return all lists (todoTaskList)
Hi, first time posting here, please let me know if I should be doing something differently! I've searched throughout the internet and couldn't find a reason for this. I've got a couple of users running into a problem where the https://learn.microsoft.com/en-us/graph/api/todo-list-lists?view=graph-rest-1.0&tabs=http endpoint only returns one list (Flagged Emails), though these users have and see many other lists in the To Do desktop (macOS) app. I've confirmed in both cases it's the same user that's identified in my app/integration and in the desktop app. They can see the tasks in that list without a problem. There are no errors requesting that list, and asking via `/users/{id|userPrincipalName}/todo/lists` also returns the same response (with that one list). Is there any known situation where this could be happening? Am I missing something obvious? Is there something else I should be trying? I've got many other customers using the To Do integration without a problem. I'm aware "My Day" and a few other special lists aren't returned. Thank you so much!
