Access denied for application with client credentials flow

Question

We have set up an application in AAD.

The application has been granted access to read/write all messages/mails and "read users profiles" and a global admin have pushed the "Grant permissions" button in the portal. Still We get Access denied error when trying to access

https://graph.microsoft.com/v1.0/users/{myId}/MailFolders/Inbox/ChildFolders 

for my userid ( myId ). The URL works fine in graph explorer when I'm logged in as my own user.

Also, decoding the JWT at jwt.io shows the application id, name and "aud" ( https://graph.microsoft.com ) - but no roles/scopes.

What have we done wrong?

Answer 1

These are delegated permissions... so you will need a user with the same rights and use the credentials of the user in your authorization flow for your app.

The effective rights are the intersection of the user rights and and the rigths of the app .

"Effective permissions are the permissions that your app will have when making requests to an API.

• For delegated permissions, the effective permissions of your app will be the least privileged intersection of the delegated permissions the app has been granted (through consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user."

The user also needs permission to use the app in AAD.

If it is not a delegated permission, maybe there is the need for some global admin to grant the consent for all users. "Topic Admins" can only "request" the permissions for the app and the global admin can consent for all users.

Answer 2

Ok so I submitted a ticket to Microsoft Support. I haven't received any response yet, but now it all works just fine. I have no idea why, but when I was submitting the ticket this morning a warning was shown that an outage in Azure AD was recently fixed so maybe that is why things didn't work yesterday.