using microsoft graph api to read mail behalf of users in the enterprise

1
votes

I am trying to get the messages inside the mailbox of users in the enterprise via the admin account.

In my app I have the following permissions:

Microsoft Graph Application Permissions

I used the https://login.microsoftonline.com/common/adminconsent?... to grant the application permissions to read mail in all mailboxes and after that, I used the OAuth2 authentication to get a Bearer token.

This is the response I got from the token endpoint:

{
  "token_type": "Bearer",
  "scope": "Mail.Read User.Read User.Read.All profile openid email",
  "access_token": "<token>",
  "expires_in": 3599,
  "ext_expires_in": 3599
}

When I used this to access a mailbox via https://graph.microsoft.com/v1.0/users/USER-ID/messages, I got the following response 

{
  "error": {
    "code": "ErrorAccessDenied",
    "message": "Access is denied. Check credentials and try again.",
    "innerError": {
      "request-id": "a31bcf73-4bd6-4fed-bfee-d70328e0703e",
      "date": "2018-11-26T15:20:37"
    }
  }
}

However, when I use this endpoint with the User ID of the authenticated admin account, I am able to access the messages in that mailbox.

But I would like to access the mailboxes of all users in the organization via Microsoft Graph.

1
microsoft-graph-apioutlook-restapi

1 Answers

2
votes

The Outlook endpoints operate a little differently than most of the Graph endpoints, rather than having a .all variation of their scopes (i.e. user.read vs user.read.all), it depends on which scope type (Delegated vs. Application) is being used.

When Delegated scopes are being used, Mail.Read only provides access to the authenticated user's mailbox (the only exception being those that have been explicitly shared with that user).

When Application scopes are being used, Mail.Read provides access to any user's mailbox.

Now, this is where things get a little wonky, the type of scope that gets applied is entirely dependant on the OAuth Grant used to obtain the token.

  • When using Implicit or Authorization Code grants, Delegated scopes are applied.
  • When using the Client Credentials grant, Application scopes are applied.

So in order for you to access any user's mailbox via /v1.0/users/{someUser}/messages, you first need to obtain your token using the Client Credentials OAuth grant. You can find a walkthrough on how this works in the documentation under "Get access without a user".