I am building a background service which accesses Office 365 mailboxes in order to retrieve emails and process them in our application. Once processing is complete it should delete the emails.
I have successfully set up authentication of the web service using an X509 certificate to get an OAuth access token (thanks to this this blog post) and can read emails of a user with an HTTP Get to:
- https://outlook.office365.com/api/v2.0/users('[emailAddressHere]')/messages?$top=50
This returns me the desired JSON response of the messaging objects.
I now wish to delete the emails once it has processed, I have tried two methods for this:
HTTP DELETE: https://outlook.office365.com/api/v2.0/users('[emailAddress]')/messages/[messageId]
And:
HTTP POST: https://outlook.office365.com/api/v2.0/users('[emailAddress]')/messages/[messageId]/move
including:
_request.Content = New StringContent("{""DestinationId"": ""DeletedItems""}", Encoding.utf8, "application/json")
I originally had my application set up in Azure AD with permissions to other applications including Office 365 Exchange Online with both Application Permissions and Delegated Permissions (which shouldn't apply here) to only read mail. At this point reading mail from the http get request worked fine.
I then tried to add a new method to the background service that deleted messages once they were complete. Whenever I ran either a delete or a move to deleted items, as defined above, I received a 403 with the following message:
x-ms-diagnostics: 2000008;reason="The token contains not enough scope to make this call.";error_category="invalid_grant"
I went back and added read/write permissions to both application and delegated but nothing changed when sending my requests.
As an experiment I then removed all permissions for Office 365 from my application in Azure AD. As expected this then prevented me from retrieving email which was working before. This proves I am successfully connecting to my application.
However I then re-added the permissions and now for all requests I receive a 401 with:
x-ms-diagnostics: 2000008;reason="The token contains no permissions, or permissions can not be understood.";error_category="invalid_grant"
I have since tried removing Office 365 from the application in Azure AD and re-adding it but cannot fix the issue.
Is there some delay in adding/updating permissions?
How can I fix the application such that it can both retrieve and delete and/or move emails?
A full response from when I had issues deleting is:
StatusCode: 403, ReasonPhrase: 'Forbidden', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
{
Transfer-Encoding: chunked
request-id: 9734281b-60f6-48e0-bea4-a3ce0c8b9744
client-request-id: 1f7ee398-340e-45c4-985a-e89a34d3a4d9
client-request-id: 1f7ee398-340e-45c4-985a-e89a34d3a4d9
X-CalculatedBETarget: HE1PR04MB0971.eurprd04.prod.outlook.com
X-BackEndHttpStatus: 403
Cache-Control: private
Set-Cookie: ClientId=XFUHAPKC3UISCO9J0WCOG; expires=Thu, 12-Jan-2017 13:30:18 GMT; path=/; secure; HttpOnly
Set-Cookie: exchangecookie=ed0bfaa0c16e44ffac392df7da2dacd3; expires=Fri, 13-Jan-2017 13:30:18 GMT; path=/; HttpOnly
Set-Cookie: ClientId=XFUHAPKC3UISCO9J0WCOG; expires=Thu, 12-Jan-2017 13:30:18 GMT; path=/; secure; HttpOnly
Server: Microsoft-IIS/8.0
WWW-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000@*", token_types="app_asserted_user_v1 service_asserted_app_v1", error="invalid_token"
x-ms-diagnostics: 2000008;reason="The token contains not enough scope to make this call.";error_category="invalid_grant"
OData-Version: 4.0
X-AspNet-Version: 4.0.30319
X-DiagInfo: HE1PR04MB0971
X-BEServer: HE1PR04MB0971
X-Powered-By: ASP.NET
Date: Wed, 13 Jan 2016 13:30:18 GMT
Content-Type: application/json; odata.metadata=minimal; odata.streaming=true; IEEE754Compatible=false; charset=utf-8
}
A full response for current permissions issues is:
StatusCode: 403, ReasonPhrase: 'Forbidden', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
{
Transfer-Encoding: chunked
request-id: 9734281b-60f6-48e0-bea4-a3ce0c8b9744
client-request-id: 1f7ee398-340e-45c4-985a-e89a34d3a4d9
client-request-id: 1f7ee398-340e-45c4-985a-e89a34d3a4d9
X-CalculatedBETarget: HE1PR04MB0971.eurprd04.prod.outlook.com
X-BackEndHttpStatus: 403
Cache-Control: private
Set-Cookie: ClientId=XFUHAPKC3UISCO9J0WCOG; expires=Thu, 12-Jan-2017 13:30:18 GMT; path=/; secure; HttpOnly
Set-Cookie: exchangecookie=ed0bfaa0c16e44ffac392df7da2dacd3; expires=Fri, 13-Jan-2017 13:30:18 GMT; path=/; HttpOnly
Set-Cookie: ClientId=XFUHAPKC3UISCO9J0WCOG; expires=Thu, 12-Jan-2017 13:30:18 GMT; path=/; secure; HttpOnly
Server: Microsoft-IIS/8.0
WWW-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000@*", token_types="app_asserted_user_v1 service_asserted_app_v1", error="invalid_token"
x-ms-diagnostics: 2000008;reason="The token contains not enough scope to make this call.";error_category="invalid_grant"
OData-Version: 4.0
X-AspNet-Version: 4.0.30319
X-DiagInfo: HE1PR04MB0971
X-BEServer: HE1PR04MB0971
X-Powered-By: ASP.NET
Date: Wed, 13 Jan 2016 13:30:18 GMT
Content-Type: application/json; odata.metadata=minimal; odata.streaming=true; IEEE754Compatible=false; charset=utf-8
}
