java azure-active-directory microsoft-graph-api http-status-code-403

403 Error when making API call to Microsoft Graph with proper permissions

I am attempting to add contacts to Azure through an API call from my web application using Java. I have been able to add users, add licenses to users, and other various tasks using the same API call set up without any issue. However, when adding a contact, I get the following error:

 Exception in thread "main" com.microsoft.graph.http.GraphServiceException: Error code: 
 ErrorAccessDenied
 Error message: Access is denied. Check credentials and try again.

 POST https://graph.microsoft.com/v1.0/me/contacts
 SdkVersion : graph-java/v2.3.2
 SdkVersion : graph-java/v2.3.2
 Authorization : [PII_REDACTED]
 {"businessPhones":["+1 212 212 2121"],"emailAddres[...]

 403 : Forbidden

I have made sure that all the correct permissions were there, and in an attempt to troubleshoot have given the app nearly all permissions. The only other thing I was able to see as a possible issue through Microsofts documentation is that it could be a "scope" issue, as all the calls were being made to here up to this point:

        ClientCredentialParameters parameters = ClientCredentialParameters
                .builder(Collections.singleton("https://graph.microsoft.com/.default")).build();

        CompletableFuture<IAuthenticationResult> future = app.acquireToken(parameters);

In addition, when I go to do these calls manually using the graph explorer, I get this response:

"error": {
    "code": "MailboxNotEnabledForRESTAPI",
    "message": "REST API is not yet supported for this mailbox.",
    "innerError": {
        "date": "2021-01-22T17:09:37",
        "request-id": "***********************",
        "client-request-id": "*********************"
    }
}

Solution

Your idea is correct, you are using a daemon-based client credential flow to obtain an access token, which is an application token. For the client credential flow, it is usually used for server-to-server interactions that must run in the background and do not interact with the user immediately(No user logged in). For the /me endpoint, it needs to accept the user token, because it has user interaction. So you cannot use application token to call the /me endpoint.

The easiest way is to change the /me endpoint to the /users endpoint:

https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/contacts

As for the second error:

"MailboxNotEnabledForRESTAPI - REST API is not yet supported for this mailbox" This error message means that the email account you are using to send email doesn't have an Exchange Online license. You need to assign licenses to users: