I am using the GraphServiceClient in my code to access multiple endpoints for data. I have a service account who logs in with Azure AD, with the following scopes: Group.Read.All, User.Read.All, Mail.Read.
However, with these needed scopes I cannot get the MailFolders for a users profile or a birthdate from the user. It gives the following error:
ServiceException: Code: -2147024891, System.UnauthorizedAccessException.
The delegated permissions in Azure AD have already granted by admin (https://i.sstatic.net/Wnoel.jpg).
Example MailFolders:
var result = await client
.Users[user.Id]
.MailFolders
.Request()
.GetAsync();
This is the error that came back:
ServiceException:
Code: ErrorAccessDenied
Message: Access is denied. Check credentials and try again.
Can I not access other users profiles or am I missing something else?
If you have Mail.Read as a delegated permission (meaning you've logged in with a user), then you can only read your own mail, even if someone has given you permissions to their mailbox. In order to read other mailboxes, you need to request the Mail.Read.Shared permission.
If you have Mail.Read as an application permission (meaning no logged in user to your app, using the client credentials flow), then you can read all mailboxes in your org.