I seem to be having issues giving my application the permissions required to access another user in the oranization's email messages. I had my admin grant my application all of the possible permissions through the Azure Portal and I’m getting an ‘Access is Denied’ error in the test application I downloaded from the Graph website. This makes me think that perhaps I am not using the correct call to the API.
Here is the code I’m using to retrieve another user’s email:
IMailFolderMessagesCollectionPage messages = await graphClient.Users["userID"].MailFolders.Inbox.Messages.Request().Top(25).GetAsync();
where “userID” is the id value I obtained from getting all users in my organization through the graph explorer.
Full code:
(Controller)
[Authorize]
public async Task<ActionResult> GetEmails()
{
try
{
// Initialize the GraphServiceClient.
GraphServiceClient graphClient = SDKHelper.GetAuthenticatedClient();
ResultsViewModel results = new ResultsViewModel();
// Get the messages.
results.Items = await graphService.GetMyInboxMessages(graphClient);
return View("Graph", results);
}
catch (ServiceException se)
{
if (se.Error.Code == Resource.Error_AuthChallengeNeeded) return new EmptyResult();
return RedirectToAction("Index", "Error", new { message = Resource.Error_Message + Request.RawUrl + ": " + se.Error.Message });
}
}
(graphService.cs)
public async Task<List<ResultsItem>> GetMyInboxMessages(GraphServiceClient graphClient)
{
List<ResultsItem> items = new List<ResultsItem>();
// Get messages in the Inbox folder.
//IMailFolderMessagesCollectionPage messages = await graphClient.Me.MailFolders.Inbox.Messages.Request().GetAsync();
IMailFolderMessagesCollectionPage messages = await graphClient.Users["e87151ce-093b-4820-a98c-4cef247ed2be"].MailFolders.Inbox.Messages.Request().Top(25).GetAsync();
string recipients = string.Empty;
if (messages?.Count > 0)
{
foreach (Message message in messages)
{
//foreach (Recipient recipient in message.ToRecipients)
for (int i = 0; i < message.ToRecipients.Count(); i++)
recipients += ((i != 0 ? "; " : "") + message.ToRecipients.ElementAt(i).EmailAddress.Address.ToString());
items.Add(new ResultsItem
{
Type = "message",
SentDateTime = message.SentDateTime.Value.DateTime.ToLocalTime(),
Subject = message.Subject,
From = message.From.EmailAddress.Address.ToString(),
To = recipients,
Id = message.Id,
Body = message.Body.Content.ToString()
});
}
}
return items;
}
Is this an incorrect GET request? Or is it a permissions issue?
Thanks in advance for your help.
You could request app only token (client credential flow) using Read mail in all mailboxes
application permissions for access to the Microsoft Graph. According to your description , you register application in azure portal (azure ad v1.0) , you could try below steps:
set Read mail in all mailboxes
application permissions for microsoft graph api :
ask your admin to grant permissions (do admin consent for application permission)for all accounts in current directory by clicking Grant Permissions
button as shown in above screenshot .
Use client credential flow to acquire app only token using ADAL library : AzureAuthenticationProvider .cs :
public class AzureAuthenticationProvider : IAuthenticationProvider
{
private string _azureDomain = "xxxx.onmicrosoft.com";
public async Task AuthenticateRequestAsync(HttpRequestMessage request)
{
try
{
string clientId = "xxxxx-xxxx-xxxx-xxxx-xxxxxxxx";
string clientSecret = "xxxxxxxxxxxxxxxxxxxxxxxxxx";
AuthenticationContext authContext = new AuthenticationContext("https://login.windows.net/" + _azureDomain + "/oauth2/token");
ClientCredential credentials = new ClientCredential(clientId, clientSecret);
AuthenticationResult authResult = await authContext.AcquireTokenAsync("https://graph.microsoft.com/", credentials);
request.Headers.Add("Authorization", "Bearer " + authResult.AccessToken);
}
catch (Exception ex)
{
}
}
}
if you decode your token , you will find Mail.Read
app permission in roles
claim .
Then you could use Microsoft graph client library to get mails of users :
GraphServiceClient graphClient = new GraphServiceClient(new AzureAuthenticationProvider());
//List<ResultsItem> items = new List<ResultsItem>();
IMailFolderMessagesCollectionPage messages = await graphClient.Users["77cac441-8279-452e-8904-ff24ddf5c715"].MailFolders.Inbox.Messages.Request().Top(25).GetAsync();
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments