Microsoft Graph returns "The token contains no permissions, ..." when using app-only token

Question

Using Postman, I am trying to retrieve the last emails received in my Outlook mailbox.

To achieve this, I have declared my app in the App Portal. Then, I can do a GET request to get a token from the endpoint:

https://login.microsoftonline.com/[tenantId]/oauth2/token

Next, I try to use the token I received to perform a request at

https://graph.microsoft.com/v1.0/me/mailfolders/inbox/messages

The problem is that the API returns:

{
  "code": "NoPermissionsInAccessToken",
  "message": "The token contains no permissions, or permissions can not be understood.",
}

In the permissions of my app, I have authorized every action related to reading emails. Am I missing something?

Answer 1

I was actually missing admin approval for the scopes (read.mail in my case). In a App-Only usage, you need to get approval from admin. To do so, admin must use this url:

https://login.microsoftonline.com/common/adminconsent?client_id=[your_client_id]&state=[random_string]&redirect_uri=http://localhost/

Admin will be prompt to approve permissions.

Answer 2

This sounds like you forgot to "Grant permission" (it happens to the best of us :P).

Grant the permission for your tenant. The easiest way is through https://portal.azure.com -> Azure AD -> App Registrations -> Your App -> Settings -> Required permissions -> Button Grant Access.)

Related to this answer

It also helps to take the token, and paste in into https://jwt.ms which will show you all the data in the token (and should also show the claims about the granted permissions).

Answer 3

The exception is the API to find meeting times or send mail, which applies to only Office 365 mailboxes (on Azure AD) and not to Microsoft accounts.

For simplicity of reference, the rest of this article uses Outlook.com to include these Microsoft account domains.

https://learn.microsoft.com/en-us/previous-versions/office/office-365-api/api/version-2.0/calendar-rest-operations