Microsoft Graph API 尝试使用 $expand(microsoft.graph.itemattachment/item) 读取 ItemAttachment 属性时“访问被拒绝”

Question

I am trying to retrieve the properties of an ItemAttachment, which is of message type. I have given all the required permissions and able to receive the ItemAttachment properties. But when I use $expand to get further properties of the ItemAttachment message. I am getting Access Denied Error.

For what I have read it says that you need Mail.read permission which I have already given to my Azure AD application for Graph API and I am able to fetch all the messages but only when I try to use $expand to get the properties for the ItemAttachment which is of message type I am getting Access Denied.

I couldn't find any thing related to specific permissions that might be required for this to work on the microsoft doc ( https://docs.microsoft.com/en-us/graph/api/attachment-get?view=graph-rest-1.0&tabs=java ).

I also referred to a similar post ( How to retrieve contents of an itemAttachment via the Microsoft Graph API ) and do not find anything either.

Below are the details:

Java Code:

graphClient.me().messages(messageId).attachments(attachmentId)
                .buildRequest()
                .expand("microsoft.graph.itemattachment/item")
                .get();

This generates a REST call something like below:

GET https://graph.microsoft.com/v1.0/me/messages/A2zjArAAA=/attachments/5AlfysT-Cz27w=?$expand=microsoft.graph.itemattachment/item

But I am getting below "Access Denied" error.

403 : Forbidden
Cache-Control : private
Content-Length : 101
Content-Type : application/json; odata.metadata=minimal; odata.streaming=true; IEEE754Compatible=false; charset=utf-8
{
  "error": {
    "code": "ErrorAccessDenied",
    "message": "Access is denied. Check credentials and try again."
  }
}

I have the following permissions for my application Azure Active Directory Application:

The microsoft graph API SdkVersion that I am using is: graph-java/v2.3.1.

I am not sure if I am missing anything here. Appreciate if anybody can please guide me towards a solution for this.

Answer 1

As Shiva mentioned in comments, you use graphClient.me() in your code, but you assign Mail.Read permission of " Application " type. If assign " Application " type permission, it just requires client_id , scope , client_secret , grant_type to get access token. So the access token doesn't contain user info, ad do not know who is me , so the code graphClient.me() can't be recognized.

If you want to run the code( graphClient.me()... ) success, you need to add permission Mail.Read in " Delegated " type but not " Application " type (follow the steps in below screenshot and also do not forget do grant admin consent).

Answer 2

As you are using application permissions it seams like you have a daemon application and the flow that you use for daemon applications will produce App token. This doesn't recognise /me because there is no user here. So try using /users/{userid}/messages .