0

I need to read mails from an Outlook mailbox via Graph API. The application I am writing is a scheduled batch job without user interaction. I can't use application permissions, because of compliance reasons. The application must not be able to access all mailboxes on the tenant. I use delegated permissions for a technical user that got shared the allowed mailboxes to achieve that. I was able to get a JWT Access Token via ADAL4J and successfully called some APIs with it, but whenever I try to read a mailbox even the technical user mailbox I get a 403 forbidden.

I started with this official [sample] (https://github.com/Azure-Samples/active-directory-java-native-headless/). After setting up my Application in Azure this sample worked right away. I then changed the Graph call to "https://graph.microsoft.com/v1.0/me/messages" and suddenly I got a 403 Forbidden. To avoid permission problems I added all delegated permissions available in Azure AD to the application and provided Administrator consent for everything. That unfortunatly changed nothing. When I check the contents of my token I see the scp field containing all the permissions. Whats strange is that I can actually write the mailbox. I can write to the draft folder via Graph API. But when I take the returned message ID and try to query the same message I just created I again get a 403 Forbidden.

Getting the token

private static AuthenticationResult getAccessTokenFromUserCredentials(
            String username, String password) throws Exception {
        AuthenticationContext context;
        AuthenticationResult result;
        ExecutorService service = null;
        try {
            service = Executors.newFixedThreadPool(1);
            context = new AuthenticationContext(AUTHORITY, false, service);
            Future<AuthenticationResult> future = context.acquireToken(
                    "https://graph.microsoft.com", CLIENT_ID, username, password,
                    null);
            result = future.get();
        } finally {
            service.shutdown();
        }
 return result;
}

Calling the messages endpoint:

        URL url = new URL("https://graph.microsoft.com/v1.0/me/messages");
        HttpURLConnection conn = (HttpURLConnection) url.openConnection();
        conn.setRequestMethod("GET");
        conn.setRequestProperty("Authorization", "Bearer " + accessToken);
        conn.setRequestProperty("Accept","application/json");
        int httpResponseCode = conn.getResponseCode();
Lukas Stampf
  • 23
  • 6

1 Answers1

0

Change the api version to beta will solve this issue. 

https://graph.microsoft.com/beta/me/messages

enter image description here

Tony Ju
  • 14,891
  • 3
  • 17
  • 31
  • Thank you. It solves my problem, but comes with a new one. The beta could change at any point so I can't put that into a production environment. Do you maybe know which beta changes alters that behavior and if there is a way around it on v1.0? – Lukas Stampf Mar 27 '19 at 07:38
  • You are welcome. I guess this might be a bug. You can raise a support ticket on o365 portal for further assistance. https://learn.microsoft.com/en-us/office365/admin/contact-support-for-business-products?view=o365-worldwide&tabs=online – Tony Ju Mar 27 '19 at 07:45