Microsoft Graph APi users/{email}/messages error: Access is denied. Check credentials and try again
Our org. has an email they made in outlook mail. I'm able to use the Microsoft Graph API using the endpoint me/messages but now I wanted to run this in python (in an azure databricks notebook).
So I created a new App in azure portal for this and the only steps I've done otherwise is adding delegated permissions and saving the clientid, secret id, tenant id from there.
I have the below code which throws the error:'Access is denied. Check credentials and try again.' Also, I'm able to get a token..
I've added the following delegated permissions...
email ,Mail.Read ,Mail.ReadWrite, User.Read
And this code:
authority = f"https://login.microsoftonline.com/{tenant_id}"
scope = ["https://graph.microsoft.com/.default"]
# scope = ["https://graph.microsoft.com/Mail.Read"]
app = msal.ConfidentialClientApplication(
client_id,
authority=authority,
client_credential=secret_value
)
result = None
result = app.acquire_token_silent(scope, account=None)
if not result:
print("No suitable token exists in cache. Requesting a new one...")
result = app.acquire_token_for_client(scopes=scope)
if "access_token" in result:
print('using access token...')
headers = {'Authorization': 'Bearer ' + result['access_token']}
graph_endpoint = f'https://graph.microsoft.com/v1.0/users/{email}/messages'
response = requests.get(graph_endpoint, headers=headers)
if response.status_code == 200:
emails = response.json()
print(emails)
else:
print(f"Error fetching emails: {response.status_code}")
print(response.json())
else:
print(f"Error acquiring token: {result.get('error')}, {result.get('error_description')}")
Solution
The error occurred as you granted permissions of Delegated type which won't work with client credentials flow.
Initially, I too got same error when I ran the code by granting permissions of Delegated type:
To resolve the error, make sure to add Mail.Read permission of Application type by granting admin consent as below:
When I ran the code again after granting permissions of Application type, I got the response successfully like this:
import json
import msal
import requests
tenant_id = "tenantId"
client_id = "appId"
secret_value = "secret"
email = "sri@xxxxxxxxx.onmicrosoft.com"
authority = f"https://login.microsoftonline.com/{tenant_id}"
scope = ["https://graph.microsoft.com/.default"]
app = msal.ConfidentialClientApplication(
client_id,
authority=authority,
client_credential=secret_value
)
result = app.acquire_token_silent(scope, account=None)
if not result:
print("No suitable token exists in cache. Requesting a new one...")
result = app.acquire_token_for_client(scopes=scope)
if "access_token" in result:
print('Using access token...')
headers = {'Authorization': 'Bearer ' + result['access_token']}
graph_endpoint = f'https://graph.microsoft.com/v1.0/users/{email}/messages'
response = requests.get(graph_endpoint, headers=headers)
if response.status_code == 200:
emails = response.json()
print(json.dumps(emails, indent=4))
else:
print(f"Error fetching emails: {response.status_code}")
print(response.json())
else:
print(f"Error acquiring token: {result.get('error')}, {result.get('error_description')}")
Response:
- Cannot add data to a ComplexField using Python SDK for Azure AI Search
- letsencrypt cert request failing for AKS ingress
- Playwright Test execution on Azure Windows machine fails in pipeline with error as No test found, It works perfectly with same command
- How to Combining PowerShell Output from multiple server to Single csv
- How can I find all Azure app registrations with API permissions to a specific app registration?
- Azure Deployment Groups vs Agent Pools
- I cannot extract .sql CREATE TABLEs for each table in my Azure SQL Database in my Azure Repo
- Can not read blobs through BlobContainerClient for blobs with empty folder prefixes
- Are task logs deleted when the node is deleted due to autoscaling in Azure Batch service?
- Azure Function Blob Storage Monitor
- I want to fetch Azure SQL table data from ADF to use as input in copy activity
- How to access code of my Azure website?
- Run JMeter script in AzureDevOps - Bearer Access Token generation
- Azure Function - HTTP trigger request length exceeded
- How and where to define an environment variable on Azure
- Stream Analytics doesn't output the data to SQL but does to a blob storage
- While Hierarchical namespace enabled cannot upload blob with metadata hdi_isfolder
- Cannot log in to Visual Studio Account in VS 2022
- SchemaColumnConvertNotSupportedException: column: [Col_Name], physicalType: INT64, logicalType: string
- create Azure Keyvault secret without exposing values
- Can you create 'User Flows' in Azure with a pay-as-you-go account
- Deploy ARM template at management group scope with Azure DevOps Pipeline
- How to make an azure function that deploys my bicep script from Azure Storage Account
- Basic SQL commands in Terraform
- Can we Deploy Web Application in Azure OpenAI of Production Level
- Get-MgGroupMember by display name instead of userID
- Azure DevOps REST API parent relation link to existing work item error
- What should be put to 'repoOwners' in Managed Identity Federated Credentials policy?
- How to get list of users from CSV file whose LastSignInDate column has a date that is before 90 days from current date or is empty?
- Langchain cannot connect with Azure SQL Database