问题
We have an application on Azure that we were already able to read user's email so far after a lot of work and frustration.
For testing purpose I gave the application almost full access (see image) below), including but not limited to sending email on behalf of users, reading users email and etc. I know we don't have to give the application such access unless needed but this is just to make sending email work.
I've this curl code for test purpose to send email
curl -i https://graph.microsoft.com/v1.0/me/sendmail -H 'Content-Type: application/json' -X POST -d '{"Message":{"Subject": hi", "Body": {"ContentType": "Text", "Content": "body"},"ToRecipients":[{"EmailAddress": {"Address": "alerts-noreply@mail.windowsazure.com"}}]},"SaveToSentItems": "true"}' -H 'Authorization: Bearer eyJ......TOKEN.....YlhaHbAFQ'
and it gave me this error
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "4895f98f-c5a4-4083-867b-f6c7b4634b7f",
"date": "2017-01-24T21:48:47"
}
}
}
If the Application has such full access, why would the app get denied ?
Token was acquired by the following code:
https://login.microsoftonline.com/f0263....0be3/oauth2/authorize?client_id=8a676..e4b6&redirect_uri=http://www.wrabc.com:8090/&response_type=code.
I appericiate your help.
回答1:
To execute the API of send a message, we need to grant the Mail.Send permission. If you change the permission after users have granted the app, the users need to update the permission by re-granting.
Another possible way to re-grant is that add the parameter prompt=consent when you init the authorization request. More detail about parameters in the request, you can refer here.
回答2:
If you added the permission after you gave consent, can you try removing the app for the user at https://myapps.microsoft.com/ or registering a new app? Then sign in and give consent again. That should update the scp for the token.
来源:https://stackoverflow.com/questions/41839740/office-365-api-erroraccessdenied-access-is-denied-when-sending-an-email