Search code examples
azure-active-directorymicrosoft-graph-apipostmanoutlook-api

Access Token through Azure Active Directory for Graph API ends in Property Error

I'm trying to call the Graph API: https://graph.microsoft.com/v1.0/me/sendMail. I run the query successfully with the Graph Explorer, where I gave my user the Mail.Send permission. And if I use the Access Token from the Graph Explorer in Postman it works too.

But if I use my own Access Token which I create from calling the Azure Active Directory App in ends in this error:

  {
    "error": {
        "code": "RequestBodyRead",
        "message": "The property 'subject' does not exist on type 'Microsoft.OutlookServices.Message'. Make sure to only use property names that are defined by the type or mark the type as open type. REST APIs for this mailbox are currently in preview. You can find more information about the preview REST APIs at https://dev.outlook.com/.",
        "innerError": {
            "date": "2021-12-23T12:47:23",
            "request-id": "cbb00b85-295b-45e2-abc7-f064ec52f994",
            "client-request-id": "cbb00b85-295b-45e2-abc7-f064ec52f994"
        }
    }

The body in the message is the same, I just changed the Access Token from the Graph Explorer to the one I created. The Access Token is created through a POST Request to:

POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

client_id=535fb09-9f3-476-9bf-4f126479986
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret=qWgdYAmab0YSkuL1qPX
&grant_type=client_credentials

I checked both Tokens with https://jwt.io/ if they vary in some way. The only thing which was odd was the parameter "aud" for Audience. The value in my Token was different than the one from the Graph Explorer, but I don't know if I can change that.

The Azure Active Directory App does have the necessary permissions, also with Admin consens. enter image description here

Help is much appreciated.

Solution

  • You have given Delegated permissions to the application which allow your app to call an API on behalf of a user. But you authenticate using only application credentials where no user is involved. In that case only Application permissions apply.

    You either need to grant the "Send mail as any user" Application permission (and use /users/user-id instead of /me), or you need to change how you authenticate such that it involves a user at some point of the process.