Trying to use the Microsoft Graph API to read Office 365 mail. I can authenticate via Azure AD (not V2) and get a token, but the only permission I get is User.Read. I want Mail.Read.
My app registration in the Azure portal includes a Mail.Read permission: API "Microsoft Graph", permission "Read user mail". In the /authorize
request, I specify both resource
and scope
, the latter being https://graph.windows.net/mail.read
. Yet when the token JSON comes back, it has "scope":"User.Read"
. And the request to https://graph.microsoft.com/v1.0/me/messages
returns error 403, while https://graph.microsoft.com/v1.0/me/
works as expected.
What am I missing?
EDIT: the initial OAuth URI is:
https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&redirect_uri=https%3a%2f%2fredacted.com%2fgoblin%2fback.aspx&client_id=3b595e3f-aecf-4a8c-8ec3-309810d75783&response_mode=query&scope=https%3a%2f%2fgraph.windows.net%2fmail.read&resource=https%3a%2f%2fgraph.windows.net%2f
The JSON goes:
{
"token_type": "Bearer",
"scope": "User.Read",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1494364932",
"not_before": "1494361032",
"resource": "https://graph.microsoft.com/",
"access_token": "redacted",
"refresh_token": "redacted",
"id_token": "redacted"
}
It seems like you simply need to trigger consent again.
If you have an application, and you update the permissions that the application requires, you will need to ask the user to consent to the new permissions you require.
In your code, you should have a logic check that says:
if
missing scope, then
prompt for consent againYou can prompt for consent by adding the following query string directly to the login url: &prompt=consent
Otherwise, you can use the PromptBehavior
parameter in ADAL.