9

I'm trying to use the Microsoft Graph API to query an Outlook/O365 mailbox for messages. I registered my app in the Azure portal and received the necessary information to query the API. The app has the Mail.Read permission. (I don't have access to the Azure portal, I was told it was set up this way.) When I get my token from the OAuth endpoint, however, it doesn't work in any subsequent calls. I'm using Python's requests module for testing right now.

Why is this call failing? It seems like I'm passing all of the correct information but I'm clearly missing something.

I'm getting the token by performing a POST on:

https://login.microsoftonline.com/my.domain/oauth2/token

I pass the necessary parameters:

data = {'grant_type': 'client_credentials', 'client_id': CLIENTID, 'client_secret': SECRET, 'resource': APPURI}

and I get a response like this:

{
    'resource': 'APPURI',
    'expires_in': '3599',
    'ext_expires_in': '3600',
    'access_token': 'TOKENHERE',
    'expires_on': '1466179206',
    'not_before': '1466175306',
    'token_type': 'Bearer'
}

I try to use that token, however, and it doesn't work for anything I call. I'm passing it as a header:

h = {'Authorization': 'Bearer ' + TOKEN}

I'm calling this URL: 

url = 'https://graph.microsoft.com/v1.0/users/[email protected]/messages'

Specifically, I use this:

r = requests.get(url, headers=h)

The response is a 401:

{
    'error': {
        'innerError': {
            'date': '2016-06-17T15:06:30',
            'request-id': '[I assume this should be removed for privacy]'
         },
         'code': 'InvalidAuthenticationToken',
         'message': 'Access token validation failure.'
     }
}
Improve this question

5 Answers 5

Reset to default
19

in your login request, the resource parameter should be https://graph.microsoft.com

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

5

It seems to be the case, that tokens issued from the v1 endpoint aren't valid for atleast some requests with MS Graph API.

Instead try to get the token form the v2 endpoint by calling https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token.

In case you are working with oidc discovery documents, you'll find the one for v2 at https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration

Improve this answer

Comments

1

I think you will need to register app from here "https://apps.dev.microsoft.com" instead of from Azure Portal.

Improve this answer

1 Comment

This won't be of help. The page says - "Application registrations portal has been deprecated for registering and managing converged applications since May 2019 and this functionality will be removed starting September 2019. We recommend that you manage your existing applications and register new applications by using the App registrations (now Generally Available) experience in the Azure portal."
1

Unless you are an using Client Credentials, you cannot access the messages another account's mailbox. Make sure that [email protected] is the same account you are authenticated with and that this address is also the userPrincipalName for the account.

You can also use a simplified URI for requesting your messages and bypassing determining the account's userPrincipalName by using /me. In this case the GET request would be https://graph.microsoft.com/v1.0/me/messages

Improve this answer

10 Comments

I'm trying to set up a task on my web app that will periodically check a specific mailbox for new emails and process attachments on them. Sounds like I'm going about it the wrong way then.
This will work but you'll need to either get a token using that mailbox's credentials or use an account with administrative privileges.
Hope it's okay to piggyback off of this. We can't figure out where to generate the credentials under the account; can't log into the portal because it's not an administrator account. Where would we do that?
The app information created in the URL provided in the other answer by Xiaomin returns this from the oauth endpoint: Application 'IDHERE' is not supported for this API version. Must not be the correct way to do it.
Let us continue this discussion in chat.
|
0

It's worth noting that even if MS's Azure documentation does not specify the need for listing the resource, I could never get to work without listing the resource.

https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds.

There is a supplementary document specifiy to two-legged Auth for MS Graph that actually uses the 'resource' in the example.

https://developer.microsoft.com/en-us/graph/docs/authorization/app_only

Happy hunting!

Improve this answer

1 Comment

How to specify more than one resource there ?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.