1
votes

I have a very basic azure function:

#r "Newtonsoft.Json"

using System.Net;
using System.Net.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Primitives;
using Newtonsoft.Json;

public static async Task<IActionResult> Run(HttpRequest req, string authToken, ILogger log)
{
    string msgId = req.Query["messageId"];

    string requestBody = await new StreamReader(req.Body).ReadToEndAsync();
    dynamic data = JsonConvert.DeserializeObject(requestBody);
    msgId = msgId ?? data?.messageId;

    if (string.IsNullOrEmpty(msgId))
        return new BadRequestObjectResult("Please pass a messageId on the query string or in the request body");

    // access me via graph
    using (var client = new HttpClient())
    {
        client.DefaultRequestHeaders.Add("Authorization", "Bearer " + authToken);
        var response = await client.GetAsync("https://graph.microsoft.com/v1.0/users/*****/mailFolders/inbox/messages/" + msgId);
        string retResp = await response.Content.ReadAsStringAsync();
        log.LogInformation(retResp);
    }

    return new OkObjectResult(msgId);
}

The Auth token is provided by the azure function Auth token binding: Auth token Input binding

However i always get the following answer from Microsoft graph:

{
    "error": {
        "code": "Authorization_RequestDenied",
        "message": "Insufficient privileges to complete the operation.",
        "innerError": {
            "request-id": "24a1e799-2f9f-4452-8d46-20d4e3db160d",
            "date": "2019-01-02T07:39:15"
        }
    }
}

And yes: The admin consented and i even tried to give all available permissions to the app and consented, but i still get the same message. Do you have any idea how i can validate the token or get more Information?

1
okey, it seems i Need to say sorry. it just took a while till the permissions were reflected. Maybe a Cache needed to expire.LaurinSt

1 Answers

2
votes

it looks like your AAD app is not configured properly - in order to read Outlook messages, you need to have Mail.Read permission. You can check it from "Auth Token Input" section on your page (which is showing "Loading" on your screenshot). It should look similar to this below (with different permissions configured). Also, you might try using "Client From Request" option in your "Identity" dropdown.

enter image description here

Whenever you change permission scopes, you should re-consent the app by visiting this URL in browser and accepting the access requirement: https://<yourfunctionapphost>.azurewebsites.net/.auth/login/aad?prompt=consent