I'm using Graph API https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/sendMail to send email. On setting userPrincipalName of a user that already exists in my tenant as sender, it works perfectly. After creating a user in my tenant and using that userPrincipalName as sender, I don't see any emails being sent. Why is that? Am I missing something?
1 Answers
0
votes
Whenever you are using delegated permissions (i.e. when a user is logged in), even though your admin has consented to the Mail.Send.Shared, it does NOT grant access to all mailboxes in the tenant. These OAuth permissions do not override the permissions (and restrictions) in place for the user.
If the user is not already configured with permissions to be able to "Send As" the [email protected] user, then you'll see this error.
To make it work, you'd need to actually grant "Send As" rights to all users that will be using your application.
This is a subtle thing, and granted it's a bit confusing. In the Azure portal, the permissions have slightly different descriptions, depending on if you're looking at the Application Permissions or the Delegated Permissions.
Application: Send mail as any userDelegated: Send mail on behalf of others
Another approach you could use here to avoid having to grant these rights to all users (which would allow them to send via Outlook, etc.) would be to have your backend app use the client credentials flow to get an app-only token. In that case, the app itself would have the permission to send as any user.
