Microsoft Graph API Mail.Send Access Denied

0
votes

I have registered a application in Azure Active Directory as a Daemon authenticating with Client Secrets. I added Graph API Permissions and have granted administrator consent to get a sharepoint list and can successfully pull using the Graph API in c#. I have also granted admin consent to the Mail.Send Graph API but get a access denied. The call is setup correctly and the email address I am using as the From field is the administrators mailbox. IS there some additional configuration or miss configuration I am doing?

Call to Authenticate 

var clientSecret = @"{My generated Secret in Azure}";
var clientId = @"{My Client Id}";
var tenantID = @"{My Tenant Id}";
IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
.Create(clientId)
.WithTenantId(tenantID)
.WithClientSecret(clientSecret)
.Build();
ClientCredentialProvider authenticationProvider = new ClientCredentialProvider(confidentialClientApplication);
return new GraphServiceClient(authenticationProvider);

My Calling Code to Send Email 

System.IO.MemoryStream ms = new System.IO.MemoryStream();
System.IO.StreamWriter writer = new System.IO.StreamWriter(ms);
writer.Write(htmlDocument.Text);
writer.Flush();
writer.Dispose();
MessageAttachmentsCollectionPage attachments = new MessageAttachmentsCollectionPage();
attachments.Add(new FileAttachment
{
ODataType = "#microsoft.graph.fileAttachment",
ContentBytes = ms.ToArray(),
ContentType = "text/html",
ContentId = "testing",
Name = "My_Report.html"
});
var message = new Message
{
Subject = "My Report",
Body = new ItemBody
{
ContentType = BodyType.Text,
Content = "Here is your updated report from list"
},
ToRecipients = new List<Recipient>()
{
new Recipient
{
EmailAddress = new EmailAddress
{
Address = "{End User to receive report}"
}
}
},
CcRecipients = new List<Recipient>()
{
new Recipient
{
EmailAddress = new EmailAddress
{
Address = "{my admin email account}"
}
}
},
From = new Recipient { 
EmailAddress = new EmailAddress
{ 
Address = "{my admin email account}"
}
},
Attachments = attachments
};
var graphServiceClient = GetGraphServiceClient();
await graphServiceClient.Me
.SendMail(message, null)
.Request()
.PostAsync();
1
c#azure-active-directorymicrosoft-graph-apioffice365microsoft-graph-mail
You might encounter the error "ErrorAccessDenied" when an API call is denied access due to a configured application access policy. If Microsoft Graph API calls from your app return this error, then please work with your Exchange Online administrator for the organization to ensure that your app has permission to access the mailbox resource. Refer the related doc - docs.microsoft.com/en-us/graph/auth-limit-mailbox-access - Dev
Hi,could my answer help you?If my answer is helpful for you, you can accept it as answer.This can be beneficial to other community members. Thank you.:) - Chauncy Zhou

1 Answers

1
votes

You are using client credentials flow.

When authenticating as an application (as opposed to with a user), you can't use delegated permissions - scopes that are granted by a user. You must use application permissions, also known as roles, that are granted by an admin for the application or via pre-authorization by the web API.

So you should give the app application permissions and grant admin consent in the portal. enter image description here

And modify the following code.

  await graphClient.Users["your admin email account"]
                .SendMail(message, null)
                .Request()
                .PostAsync();