Access shared mailbox via Microsoft Graph - "Access denied"

1
votes

I want to access a shared mailbox via Microsoft Graph. What I found so far to access a shared mailbox is the following GET request: "https://graph.microsoft.com/v1.0/users/{sharedmailboxmailaddress}/messages"

As a respond I get:

"error": {
    "code": "ErrorAccessDenied",
    "message": "Access is denied. Check credentials and try again.",
    "innerError": {
        "date": "2020-08-31T10:12:28",
        "request-id": "1346f752-1041-495e-b880-375c6011aa8a"
    }
}

My user has full access to this shared mailbox - e.g. I can read/write the mailbox in Outlook. To consent the permission (modify permissions) is not an option because I am not an admin of the organization - I think I would need the permission "Mail.ReadWrite.Shared".

Is there a way without consenting the permission because my user has full access to the shared mailbox? There has to be a way to access the mailbox, without having admin permissions in the organization?

I am looking forward to read an answer :) Thanks

1
asp.netazure-active-directorymicrosoft-graph-api
Hi did you check my answer? Is there anything unclear? - Allen Wu
@AllenWu It was helpful, thanks. I am currently waiting to get approval from admin (after selecting my account I get the message: "Administrator approval required"). Its not a wrong setup of my azure ad app, is it? - pbrkrd
If your azure ad app has any other permissions which require admin consent, it will show the message: "Administrator approval required". So make sure there are no such permissions. If you have to add such a permission, just wait to get the approval from admin. - Allen Wu
BTW, if my answer is helpful, you can mark it as accepted, which will help other people who have the same issue. - Allen Wu

1 Answers

2
votes

No matter whether your account has full access to the shared mailbox, Azure AD authorization cannot be bypassed.

You should have known you need to register an Azure AD app to sign in your account.

The permissions are controlled by the Azure AD app. In your case, "Mail.ReadWrite.Shared" permission is necessary.

Only by adding this permission, you can use Microsoft Graph to access the shared mailbox messages.

You can ask your admin to add this permission for you.

In fact, "Mail.ReadWrite.Shared" doesn't require admin consent. User can consent it by themselves if the admin enables Users can consent to apps accessing company data on their behalf.

enter image description here