How do I use Microsoft Graph OAuth code flow to produce a token that can read mail?

Question

Steps to recreate require:

A web browser
A command console with CURL installed.
An existing Microsoft Azure account.
An existing Azure App registration (see https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade).

Step 1: Replace "MY_CLIENT_ID" with an Azure client ID for an authorized application.

https://login.microsoftonline.com/common/oauth2/authorize?client_id=MY_CLIENT_ID&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A12345&response_mode=query&resource=https%3A%2F%2Fgraph.microsoft.com%2F&state=12345&prompt=admin_consent&scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read

Step 2: Enter the URL in a web browser address bar.

Step 3: Proceed to authorize the application to read email using an existing Azure account. (The browser URL will change to one with an OAuth code.)

Step 4: Copy the OAuth code.

Step 5: In the CURL command below:

Replace "MY_CLIENT_ID" with an Azure client ID for an authorized application.
Replace "MY_CLIENT_SECRET" with the client secret for the authorized application.
Replace "MY_OAUTH_CODE" with the OAuth code.

curl -X POST -H "content-type: application/x-www-form-urlencoded" -d "grant_type=authorization_code&code=MY_OAUTH_CODE&redirect_uri=http%3A%2F%2Flocalhost%3A12345&client_id=MY_CLIENT_ID&scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read&client_secret=MY_CLIENT_SECRET" "https://login.microsoftonline.com/common/oauth2/token"

Step 6: Enter the CURL command in a command console. (A valid request token will be returned.)

Step 7: Replace "MY_REQUEST_TOKEN" in the CURL command below with the request token and execute the command in a command console.

curl -H "Authorization: Bearer MY_REQUEST_TOKEN" "https://graph.microsoft.com/v1.0/me/"

Notice that the basic account info is returned - meaning the token is VALID.

Step 8: Replace "MY_REQUEST_TOKEN" in the CURL command below with the request token and execute the command in a command console.

curl -H "Authorization: Bearer MY_REQUEST_TOKEN" "https://graph.microsoft.com/v1.0/me/messages"

This error is returned:

{
  "error": {
    "code": "ResourceNotFound",
    "message": "Resource could not be discovered.",
  }
}

Note that I can read emails if I get an auth code using the URL login.live.com/… — Doug Sherlock

Hari Krishna Hari Krishna · Accepted Answer · 2020-05-28T18:13:17

Since you are trying to read mails, please setup permissions to your registered app with required permissions i.e., Mail.ReadBasic, Mail.Read.

Please go through the documentation https://docs.microsoft.com/en-us/previous-versions/office/office-365-api/api/version-2.0/mail-rest-operations

View the documentation, this is the client class code: https://github.com/microsoftgraph/msgraph-sdk-dotnet/blob/dev/src/Microsoft.Graph/Requests/Generated/GraphServiceClient.cs

Here is an example :

private static GraphServiceClient GetClient(string accessToken, IHttpProvider provider = null)
{
        var delegateAuthProvider = new DelegateAuthenticationProvider((requestMessage) =>
        {
            requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", accessToken);

            return Task.FromResult(0);
        });

        var graphClient = new GraphServiceClient(delegateAuthProvider, provider ?? HttpProvider);

        return graphClient;
 }

How do I use Microsoft Graph OAuth code flow to produce a token that can read mail?

2 Answers

Step: Authorize in the Browser prompt.