403 Forbidden when reading mailbox with EWS and OAuth

Question

After Microsoft deprecated basic authentication for EWS I am trying to update an existing app in order to support the newer type of authentication. However, whatever I do, the call ends with 403 Forbidden.

I'd be thankful for any kind of help.

Code

   var cca = ConfidentialClientApplicationBuilder
        .Create("AppId")
        .WithClientSecret("ClientSecret")
        .WithTenantId("TenantId")
        .Build(); 

    var ewsScopes = new string[] { "https://outlook.office365.com/.default" };
    var emailToBeRead = "[email protected]";
    try
    {
        var authResult = cca.AcquireTokenForClient(ewsScopes)
            .ExecuteAsync().Result;

        // Configure the ExchangeService with the access token
        var ewsClient = new ExchangeService
        {
            Url = new Uri("https://outlook.office365.com/EWS/Exchange.asmx"),
            Credentials = new OAuthCredentials(authResult.AccessToken),
            ImpersonatedUserId =
            new ImpersonatedUserId(ConnectingIdType.SmtpAddress, emailToBeRead)
        };

        //Include x-anchormailbox header
        ewsClient.HttpHeaders.Add("X-AnchorMailbox", emailToBeRead);

        // Make an EWS call
        var folders = ewsClient.FindFolders(WellKnownFolderName.MsgFolderRoot, new FolderView(10));
        foreach (var folder in folders)
        {
            Console.WriteLine($"Folder: {folder.DisplayName}");
        }
    }
    catch (MsalException ex)
    {
        Console.WriteLine($"Error acquiring access token: {ex}");
    }
    catch (Exception ex)
    {
        Console.WriteLine($"Error: {ex}");
    }

Permissions

Answer 1

The solution to the issue is to grant full_access_as_app permission from Office 365 Online Exchange API in Azure Active Directory for the app that will be accessing the mailboxes.