question

AbeShaker-5414 avatar image
0 Votes"
AbeShaker-5414 asked AbeShaker-5414 commented

Microsoft Graph API, DELETE request response, "Access is denied. Check credentials and try again."

Hello. I'm working on a short shell script to remove e-mails from three different inboxes. Our M365 admin successfully registered, configured and authorized an app which allows us to get an access token via script.

We can read e-mails successfully from all three accounts but cannot delete e-mails. The admin has confirmed that the API does have the Mail.ReadWrite permission as mentioned here. When I test this out on my own account using my own token it works fine. Is there another permission needed in order to do this? Thank you.

curl -X DELETE -H "Authorization: Bearer $AccessToken" "https://graph.microsoft.com/v1.0/me/messages/$EmailID"

microsoft-graph-mail
· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Danstan-MSFT avatar image Danstan-MSFT ·

How are you acquiring the access token from the script. what error do you get when you try to delete using the access token acquired via the script?

0 Votes 0 ·
AbeShaker-5414 avatar image AbeShaker-5414 Danstan-MSFT ·

Hi. We're acquiring the token via curl (sample below). The output is a token, which is working great to read e-mail, but we cannot delete e-mails w/ the same token. We've confirmed that the app does have the Mail.ReadWrite permission. Since we're interfacing w/ more than one account, would the Mail.ReadWrite.Shared permission need to be set?

The error we get is, "{"error":{"code":"ErrorAccessDenied","message":"Access is denied. Check credentials and try again."}}"

 curl -X POST -H "Content-Type: application/x-www-form-urlencoded" --data-urlencode "client_id=<client_id>" --data-urlencode "scope=https://graph.microsoft.com/.default" --data-urlencode "client_secret=client_secret" --data-urlencode "grant_type=client_credentials" "https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token"
0 Votes 0 ·
Danstan-MSFT avatar image Danstan-MSFT AbeShaker-5414 ·

I have left an answer that should help. Please accept and upvote to help other community users

1 Vote 1 ·

1 Answer

Danstan-MSFT avatar image
2 Votes"
Danstan-MSFT answered AbeShaker-5414 commented

You can not use the token acquired using client_credentials grant type to call the /me and all its extensions because they required delegated permissions(signedin user). See here

Since you are using application permissions, you need to use https://graph.microsoft.com/v1.0/users/{user-id}/messages/{message-id} or any endpoint here that has no /me




· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AbeShaker-5414 avatar image AbeShaker-5414 ·

This worked perfectly! Thank you! The final curl statement looks like this:

 curl -X DELETE -H "Authorization: Bearer $AccessToken" "https://graph.microsoft.com/v1.0/users/$UserID/messages/$MessageID"
1 Vote 1 ·