azure go outlook microsoft-graph-api microsoft-graph-mail

"The tenant for tenant guid X does not exist", for self email account(I'm the only member)

I would like to read email for my personal account but I'm getting "The tenant for tenant guid X does not exist".

I created an app using single tenant on https://entra.microsoft.com/
Then I assing it the permissions to email
Then I created a client secret

Then I use this code for getting the token:

 import(""github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential")
 cred, err := confidential.NewCredFromSecret("{secret value}")
 if err != nil {
     log.Println(err)
     return
 }
 confidentialClient, err := confidential.New("https://login.microsoftonline.com/{tenant id}", "{client id}", cred)
 if err != nil {
     log.Println(err)
     return
 }
 scopes := []string{"https://graph.microsoft.com/.default"}
 result, err := confidentialClient.AcquireTokenSilent(context.TODO(), scopes)
 if err != nil {
     result, err = confidentialClient.AcquireTokenByCredential(context.TODO(), scopes)
     if err != nil {
     log.Println(err)
         return
     }
 }

I successfully get the token with that code

{
     "Account": {
         "AdditionalFields": null
     },
     "IDToken": {
         "RawToken": "",
         "AdditionalFields": null
     },
     "AccessToken": "{token}",
     "ExpiresOn": "2023-12-13T14:57:09.4905758-05:00",
     "GrantedScopes": [
         "https://graph.microsoft.com/.default"
     ],
     "DeclinedScopes": null
 }

Then I get the user id(I'm the only user):

 req, err := http.NewRequest("GET", "https://graph.microsoft.com/v1.0/users", nil)
 if err != nil {
     log.Println(err)
     return
 }
 req.Header.Add("Authorization", "{token}")
 client := http.Client{}
 resp, err := client.Do(req)
 if err != nil {
     log.Println(err)
     return
 }
 body, err := io.ReadAll(resp.Body)
 if err != nil {
     log.Println(err)
     return
 }

however when I try to get the emails:

     req, err := http.NewRequest("GET", "https://graph.microsoft.com/v1.0/users/{user_id}/messages", nil)
     if err != nil {
         log.Println(err)
         return
     }
     req.Header.Add("Authorization", "{token}")
     client := http.Client{}
     resp, err := client.Do(req)
     if err != nil {
         log.Println(err)
         return
     }
     body, err := io.ReadAll(resp.Body)
     if err != nil {
         log.Println(err)
         return
     }

I get:

{
    "error": {
        "code": "OrganizationFromTenantGuidNotFound",
        "message": "The tenant for tenant guid '0a6ac917-332a-4f47-881e-0b35fb1b2ab5' does not exist.",
        "innerError": {
            "oAuthEventOperationId": "c096c5c9-e743-4daa-9a97-d14d915e9842",
            "oAuthEventcV": "N0nHeUJm9gwnrFZefuEA4w.1.1",
            "errorUrl": "https://aka.ms/autherrors#error-InvalidTenant",
            "requestId": "c0272999-9743-44ee-98b5-947acc52e7d8",
            "date": "2023-12-13T19:11:22"
        }
    }
}

Id 0a6ac917-332a-4f47-881e-0b35fb1b2ab5 on the error is the tenand id

Solution

To read the mails of personal Outlook account, you need to switch to delegated flow like interactive flow or authorization code flow for generating access token and call /me/messages endpoint.

Register multi-tenant application with account type as "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)":

enter image description here

Make sure to enable public client option if you are using interactive flow for generating token:

enter image description here

Now, add Mail.Read or Mail.ReadWrite permission of Delegated type in your app registration based on your need:

enter image description here

To generate access token using interactive flow, you can refer this sample Go code and later use it for calling /me/messages endpoint:

package public_test

import (
    "context"

    "github.com/AzureAD/microsoft-authentication-library-for-go/apps/public"
)

func Example() {
    client, err := public.New("client_id", public.WithAuthority("https://login.microsoftonline.com/common"))
    if err != nil {
    }

    var result public.AuthResult
    scopes := []string{"https://graph.microsoft.com/.default"}

    accounts, err := client.Accounts(context.TODO())
    if err != nil {
        // TODO: handle error
    }
    if len(accounts) > 0 {
        result, err = client.AcquireTokenSilent(context.TODO(), scopes, public.WithSilentAccount(accounts[0]))
    }
    if err != nil || len(accounts) == 0 {
        result, err = client.AcquireTokenInteractive(context.TODO(), scopes)
        if err != nil {
        }
    }
    _ = result.Account
    _ = result.AccessToken
}

You can also sign into Graph Explorer with that account and run below query for getting emails:

GET https://graph.microsoft.com/v1.0/me/messages

Response:

enter image description here

Reference:

microsoft-authentication-library-for-go/apps/public/example_test.go at main · AzureAD/microsoft-authentication-library-for-go · GitHub