1

I am attempting to add contacts to Azure through an API call from my web application using Java. I have been able to add users, add licenses to users, and other various tasks using the same API call set up without any issue. However, when adding a contact, I get the following error:

 Exception in thread "main" com.microsoft.graph.http.GraphServiceException: Error code: 
 ErrorAccessDenied
 Error message: Access is denied. Check credentials and try again.

 POST https://graph.microsoft.com/v1.0/me/contacts
 SdkVersion : graph-java/v2.3.2
 SdkVersion : graph-java/v2.3.2
 Authorization : [PII_REDACTED]
 {"businessPhones":["+1 212 212 2121"],"emailAddres[...]

 403 : Forbidden

I have made sure that all the correct permissions were there, and in an attempt to troubleshoot have given the app nearly all permissions. The only other thing I was able to see as a possible issue through Microsofts documentation is that it could be a "scope" issue, as all the calls were being made to here up to this point:

        ClientCredentialParameters parameters = ClientCredentialParameters
                .builder(Collections.singleton("https://graph.microsoft.com/.default")).build();

        CompletableFuture<IAuthenticationResult> future = app.acquireToken(parameters);

In addition, when I go to do these calls manually using the graph explorer, I get this response:

"error": {
    "code": "MailboxNotEnabledForRESTAPI",
    "message": "REST API is not yet supported for this mailbox.",
    "innerError": {
        "date": "2021-01-22T17:09:37",
        "request-id": "***********************",
        "client-request-id": "*********************"
    }
}
Improve this question
3
  • Please check your access token in jwt.ms and see if you have the permission in your token. Are you using app token or user token? For second error make sure if you have the proper license like E3 or E5 which has Exchange license in it. Commented Jan 22, 2021 at 17:24
  • Hi, thank you. When you are saying jwt.ms where is that. I believe I am using an app token. Commented Jan 22, 2021 at 18:19
  • Click on the link which I gave above and paste your access token there to check it. Commented Jan 25, 2021 at 5:35

1 Answer 1

Reset to default
2

Your idea is correct, you are using a daemon-based client credential flow to obtain an access token, which is an application token. For the client credential flow, it is usually used for server-to-server interactions that must run in the background and do not interact with the user immediately(No user logged in). For the /me endpoint, it needs to accept the user token, because it has user interaction. So you cannot use application token to call the /me endpoint.

The easiest way is to change the /me endpoint to the /users endpoint:

https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/contacts

As for the second error:

"MailboxNotEnabledForRESTAPI - REST API is not yet supported for this mailbox" This error message means that the email account you are using to send email doesn't have an Exchange Online license. You need to assign licenses to users:

enter image description here

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.