403 Forbidden when sending mail with app-only token via Microsoft Graph
Hello, I am trying to send emails from my Outlook account using a registered enterprise application in Azure AD. We created an application registration in our tenant, assigned the relevant users, and granted admin consent for these Microsoft Graph application permissions: Mail.Send and Mail.ReadWrite and Mail.Send.Shared. I authenticate with application credentials (client_id, client_secret, tenant_id) and successfully retrieve an app-only access token using MSAL in Python: def get_access_token() -> str: load_dotenv() client_id = os.getenv("CLIENT_ID") client_secret = os.getenv("CLIENT_SECRET") tenant_id = os.getenv("TENANT_ID") authority = f"https://login.microsoftonline.com/{tenant_id}" scopes = ["https://graph.microsoft.com/.default"] # app-only token app = msal.ConfidentialClientApplication( client_id=client_id, client_credential=client_secret, authority=authority ) result = app.acquire_token_for_client(scopes=scopes) if "access_token" not in result: raise RuntimeError(f"Auth failed: {result.get('error_description') or result}") return result["access_token"] The token is retrieved successfully. However, when I try to send an email with: GRAPH_BASE = "https://graph.microsoft.com/v1.0" def send_email(access_token: str, from_user: str, to_address: str, subject: str, body_text: str, save_to_sent: bool = True) -> bool: """ Sends a plain-text email via POST /users/{from_user}/sendMail using an app-only token. Returns True on success; raises HTTPError on failure. """ payload = { "message": { "subject": subject, "body": {"contentType": "Text", "content": body_text}, "toRecipients": [{"emailAddress": {"address": to_address}}], }, "saveToSentItems": bool(save_to_sent), } r = requests.post( f"{GRAPH_BASE}/users/{from_user}/sendMail", headers={"Authorization": f"Bearer {access_token}"}, json=payload, timeout=20, ) r.raise_for_status() return True …I get this error: 403 Client Error: Forbidden for url: https://graph.microsoft.com/v1.0/users/{from_user}/sendMail File "C:\mail\src\mail.py", line 53, in send_email r.raise_for_status() ~~~~~~~~~~~~~~~~~~^^ File "C:\mail\src\mail.py", line 111, in <module> send_email(token, from_user, to, "Hello from Microsoft Graph", "Hello Human") ~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://graph.microsoft.com/v1.0/users/{from_user}/sendMail where {from_user} is my actual mailbox address (e.g., email address removed for privacy reasons). Since the app has Mail.Send (Application) permission with admin consent, my understanding is that the app should be able to send mail on behalf of any user in the tenant using /users/{user}/sendMail. Is there another configuration step I am missing (e.g., Application Access Policy or mailbox-level Send As requirement)? Any guidance on why this 403 happens despite having Mail.Send application permissions with admin consent would be very helpful. Thank you!
"User content migrated" Error when Creating OneDrive Webhook Subscription
Dear Microsoft Community, Our application is encountering an undocumented error when attempting to set up a Webhook Subscription to a OneDrive app-root folder (/drive/special/approot). This issue began approximately one day after deployment, following an initial period where the subscription process worked correctly, and has now persisted for several weeks. Here's the full error message: { "error": { "code": "ExtensionError", "message": "Operation: Create; Exception: [Status Code: ServiceUnavailable; Reason: User content migrated. Cannot access disabled item.]", "innerError": { "date": "2025-06-10T10:58:15", "request-id": "edff6dc0-45b7-4e7c-8797-3134ebc6bae4", "client-request-id": "edff6dc0-45b7-4e7c-8797-3134ebc6bae4" } } } Could this error be related to: - The absence of an MPN ID? - The type of Microsoft account used for app registration (personal vs. work account)? Any insights or suggestions would be greatly appreciated!
Grant "read" role for a DriveItem to an Entra ID app
Context My web app uses an Entra ID application to organize file transfer from Sharepoint to the local storage. For this to work, a combination of “Files.Read.All” Delegated permission and FilePicker SDK v7.2 for JavaScript is used. A user authorizes using his Microsoft work account, agrees with the consent, selects a file, and the web app reads and downloads that file. Question How to have a stable way for the Entra ID app to read any file, which was previously selected by any user, at any time? (Have a permanent “read” access) What I have tried Files.SelectedOperations.Selected Application permission. I can request a JWT token for the Entra ID app (POST /tenant_id/oauth2/v2.0/token), but a call (POST /v1.0/sites/site_Id/drives/drive_Id/items/item_Id/permissions) to grant “read” role for a DriveItem by siteId, driveId and itemId retrieved from FilePicker SDK's response returns 403 “accessDenied”. Apparently, that’s the user who must grant access to that file, but on UI he cannot share it with an Entra ID app, only with another user. Re-usage of user’s accessToken which comes from FilePicker SDK to backend to grant "read" role for the Entra ID app to the file he has just selected. This accessToken is not full and cannot be used to perform such an operation. Ultimate Goal (just for more context) Implement OneDrive file auto-synchronization service for the web app. For example, a user uploads a file to the web app. A month later he updates this file on Sharepoint in a site-collection or My Files. A background task is launched daily to update obsoleted files in the web app. The application must be able to read and download the respective DriveItem without any user interaction. Business Restrictions Excessive Application type permissions (Files.Read.All, FullControl, etc.) are not allowed. Sites.Selected is highly NOT preferred because it requires global changes for users to transfer (copies of) their content on a special site-collection the Entra ID app will have to monitor. So is actual if each customer Users should not be involved into using developer tools, like sending POST requests through Postman or Graph Explorer. Authorization flows which involve refreshing the received users' accessTokens are not allowed. I am grateful for any information and ideas!Problem copying file in SharePoint with Ms Graph v5.x
Hello. I need to copy a file in SharePoint, with Ms Graph v5.61 to a new folder (in the same library). The problem is that it copies but the process does not wait for it to complete and returns null, then I check and the file exists. I pass the code that I am using. public async Task<string?> CopyAsync(string listDriveId, string sourceDriveId, string destinationDriveId, string newName) { try { GraphSDK.Drives.Item.Items.Item.Copy.CopyPostRequestBody destinationInfo = new GraphSDK.Drives.Item.Items.Item.Copy.CopyPostRequestBody() { ParentReference = new ItemReference() { DriveId = listDriveId, Id = destinationDriveId }, Name = newName }; DriveItem? copy = await _graphClient.Drives[listDriveId].Items[sourceDriveId].Copy.PostAsync(destinationInfo); // Problem: "copy" is always null, but it is copied. When I check if the copied file exists, this file exists. if (copy != null) { return copy.Id; } } catch { } return null; } Can you help me? Thank you very much.
PowerApp Graph Custom Connector without User Login
So I've been trying to create an app that will allow users to set and edit their own pronouns and then store those pronouns in Graph for use in Email Signatures and the such. I've been following this tutorial <https://www.m365princess.com/blogs/azure-ad-directory-extensions/> in doing so, and I've basically got it down I've made the app and it works. However, it only works for me, i.e. admins. Whenever another user logs in and they are able to view their pronouns, i.e. GET graph.microsoft.com/me, but can't update their pronouns, PATCH graph.microsoft.com/me?$select=pronouns They get this error: My question is what can I do to get this app to be able to make the changes to this one specific item in graph, or allow for users to be able to edit this for themselves, or something that would make this work. Or perhaps I'm going about it the wrong way. Any help is appreciated, KamalaTeams: adding users through teams or groups
Hi there, I'm in the progress of making a coupling between our SIS (school information system) and Teams us MS Graph. In the past we used SDS for that, but that is going into a direction we don't like. Not the discussion for now. This is: Currently at the point where I have to make a decision on how to add owners/members to the teams I create. Teams being specialized groups I seem to have 2 options: - with the groups add member/owner option (https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http) - with the teams add member/owner option (https://learn.microsoft.com/en-us/graph/api/team-post-members?view=graph-rest-1.0&tabs=http) It seems that by adding them through the groups option there can be a 24 hour delay before the user is actually added to the team, and one of the team users will have to have been online in the Teams desktop app. A bit of a hazzle it seems. Reading that I'm inclined to add them using the teams method. But are there other consideration that I'm missing? PeterRetrieve over 28 days of teams call data
Hi, I'm writing a powershell script that is using graph API to retrieve call data from Teams older than 28 days. The Error I get is: Invoke-RestMethod : The remote server returned an error: (404) Not Found. At C:\VSSource\Teams scipt\Teamsdata2.ps1:40 char:13 + $Response = Invoke-RestMethod -Method Post -Uri $APIUrl -Headers $Hea ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodComma nd The script I have written is (I have removed Tennat ID, Client ID etc) # Set your tenant ID, client ID, and client secret $TenantId = " " $ClientId = " " $ClientSecret = " " # Constants and endpoint URLs $Authority = "https://login.microsoftonline.com/$TenantId" $Resource = "https://graph.microsoft.com" $Scope = "https://api.interfaces.records.teams.microsoft.com/Teams.VoiceAnalytics" $GrantType = "client_credentials" $AuthTokenUrl = "$Authority/oauth2/token" $APIUrl = "https://api.interfaces.records.teams.microsoft.com/Teams.VoiceAnalytics/getanalytics" # Calculate the date 28 days ago $Date28DaysAgo = (Get-Date).AddDays(-28).ToString("yyyy-MM-dd") # Generate the access token $TokenBody = @{ grant_type = $GrantType client_id = $ClientId client_secret = $ClientSecret resource = $Resource scope = $Scope } $AccessToken = (Invoke-RestMethod -Method Post -Uri $AuthTokenUrl -ContentType "application/x-www-form-urlencoded" -Body $TokenBody).access_token # Set request headers $Headers = @{ 'Authorization' = "Bearer $AccessToken" 'Content-Type' = "application/json" } # Create the request body $RequestBody = @{ startTime = $Date28DaysAgo + "T00:00:00Z" endTime = (Get-Date).ToString("yyyy-MM-dd") + "T23:59:59Z" } | ConvertTo-Json # Make the API call $Response = Invoke-RestMethod -Method Post -Uri $APIUrl -Headers $Headers -Body $RequestBody -ContentType "application/json" # Save the data to a CSV file $Response.values | Export-Csv -Path "CallData.csv" -NoTypeInformation # Display a message when complete Write-Host "Call data exported to 'CallData.csv'"
Issue Creating InTune Compliance Notification
Hi, complete Graph newbie here trying to learn the ropes. Currently using the Graph explorer to get comfortable. We're an MSP, so we set up a lot of InTune tenants for customers and currently do it manually, I'd like to automate a lot of it which I've done with regular old PowerShell, but some of it seems to be restricted to the (better) Graph. Currently, I'm using https://learn.microsoft.com/en-us/graph/api/intune-notification-notificationmessagetemplate-create?view=graph-rest-1.0&tabs=http and https://learn.microsoft.com/en-us/graph/api/intune-notification-localizednotificationmessage-create?view=graph-rest-1.0&tabs=http To try and create a POST request to: https://graph.microsoft.com/v1.0/deviceManagement/notificationMessageTemplates This is what I have: { "@odata.type": "#microsoft.graph.notificationMessageTemplate", "displayName": "Your Template Name", "defaultLocale": "en-us", "brandingOptions": "includeCompanyLogo", "localizedNotificationMessages": [ { "@odata.type": "#microsoft.graph.localizedNotificationMessage", "locale": "en-us", "subject": "Your Notification Subject", "messageTemplate": "Your Notification Message", "isDefault": true } ] } In the request body using Graph explorer. A lot of values are place holders but they should still create just to test. Initially I was getting errors with the payload but have fixed those. Now, no matter how much modifying I do, I always get this as 400 bad request error: { "error": { "code": "BadRequest", "message": "{ \"_version\": 3, \"Message\": \"An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 2e3410e5-8f41-8b2f-755c-f42d2944e26d - Url: https://fef.msub07.manage.microsoft.com/StatelessNotificationFEService/deviceManagement/notificationMessageTemplates?api-version=5018-07-01\", \"CustomApiErrorPhrase\": \"\", \"RetryAfter\": null, \"ErrorSourceService\": \"\", \"HttpHeaders\": \"{}\"}", "innerError": { "date": "2023-11-10T14:24:35", "request-id": "efbf0aae-23bf-445f-83e8-141c3d0e7255", "client-request-id": "2e3410e5-8f41-8b2f-755c-f42d2944e26d" } } } Could anyone help me identify what's wrong, or point me where I can learn more? Thank you so much.
Custom Mail forwarding via Graph API
Hi, we use EWS to create custom rules for diff. users including mail forwarding rules. EWS is going to be shut down for 3rd Party apps, so we need to use Graph. I only found how to set out of office rules via Graph but I'm missing an option for custom mail forwarding rules?!? Can anyone help?
