Microsoft Graph API : "403 forbidden" error when getting groups conversations

Question

In a Node.js script using adal-node, I'm trying to retrieve a group conversations following parts of this official documentation.

I've created an application in Azure AD administration for my tenant, and temporarily checked all permissions for Graph API (should exclude a "missing permission" problem), then clicked on the "Grant permissions" button.

I'm using a certificate for authentication.

Basically I'm doing:

var adal = require('adal-node');
var authorityUrl = 'https://login.windows.net/{my-tenant}';
var context = new adal.AuthenticationContext(authorityUrl);
context.acquireTokenWithClientCertificate(
    'https://graph.microsoft.com',
    '{my-app/client-ID}',
    '{certificate file content}',
    '{certificate thumbprint}',
    function(err, tokenResponse) {
        // this method does an HTTPS call with autorization token & returns results (uses 'https.request()')
        callRestApi(
            'graph.microsoft.com', // host
            443, // port
            '/v1.0/groups/{group-ID}/threads', // path
            'GET', // method
            tokenResponse.accessToken, // token
            function(err, results) {
                console.log(err);
                console.log(results);
            });
    });

When I'm using, for example, /v1.0/groups/{group-ID}/description as path, it works as expected.

However, with /v1.0/groups/{group-ID}/conversations or /v1.0/groups/{group-ID}/threads, I always get an HTTP 403 / Forbidden error (without any further detail in response.headers).

Note that when I try to do the same exact call from the online Graph API Explorer with my tenant admin account, it works as expected.

Answer 1

AFAIK ,as @Marek Rycharski said in the thread , group conversation access is not supported in app-only authorization flow.

In my testing , i used client credential flow to acquire app-only token for microsoft graph, the difference is my client credential is a password , and the access token includes Group.ReadWrite.All application permission, when performing /v1.0/groups/{group-ID}/conversations operation , the response shows 403 Forbidden error . But using authorization code flow to acquire access token with delegate permission , the list conversations operation works fine .