question

AbeShaker-5414 avatar image
0 Votes"
AbeShaker-5414 asked AbeShaker-5414 commented

Microsoft Graph API, DELETE request response, "Access is denied. Check credentials and try again."

Hello. I'm working on a short shell script to remove e-mails from three different inboxes. Our M365 admin successfully registered, configured and authorized an app which allows us to get an access token via script.

We can read e-mails successfully from all three accounts but cannot delete e-mails. The admin has confirmed that the API does have the Mail.ReadWrite permission as mentioned here. When I test this out on my own account using my own token it works fine. Is there another permission needed in order to do this? Thank you.

curl -X DELETE -H "Authorization: Bearer $AccessToken" "https://graph.microsoft.com/v1.0/me/messages/$EmailID"

microsoft-graph-mail
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

How are you acquiring the access token from the script. what error do you get when you try to delete using the access token acquired via the script?

0 Votes 0 ·

Hi. We're acquiring the token via curl (sample below). The output is a token, which is working great to read e-mail, but we cannot delete e-mails w/ the same token. We've confirmed that the app does have the Mail.ReadWrite permission. Since we're interfacing w/ more than one account, would the Mail.ReadWrite.Shared permission need to be set?

The error we get is, "{"error":{"code":"ErrorAccessDenied","message":"Access is denied. Check credentials and try again."}}"

 curl -X POST -H "Content-Type: application/x-www-form-urlencoded" --data-urlencode "client_id=<client_id>" --data-urlencode "scope=https://graph.microsoft.com/.default" --data-urlencode "client_secret=client_secret" --data-urlencode "grant_type=client_credentials" "https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token"
0 Votes 0 ·

I have left an answer that should help. Please accept and upvote to help other community users

1 Vote 1 ·

1 Answer

Danstan-MSFT avatar image
2 Votes"
Danstan-MSFT answered AbeShaker-5414 commented

You can not use the token acquired using client_credentials grant type to call the /me and all its extensions because they required delegated permissions(signedin user). See here

Since you are using application permissions, you need to use https://graph.microsoft.com/v1.0/users/{user-id}/messages/{message-id} or any endpoint here that has no /me




· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This worked perfectly! Thank you! The final curl statement looks like this:

 curl -X DELETE -H "Authorization: Bearer $AccessToken" "https://graph.microsoft.com/v1.0/users/$UserID/messages/$MessageID"
1 Vote 1 ·