9

Our setup is an on-premise Exchange Server which is accessible over the graph api. https://learn.microsoft.com/en-us/graph/hybrid-rest-support

(https://www.msxfaq.de/cloud/graph/graph_und_exchange_onprem.htm)

We run in the issue, that our token is only "partial" working. And a token created by "Graph-Playground" is fully working. But we can't find any difference.

  • When I use Graph-Playground or use the token generated by Graph-Playground => all requests are working
  • When I create a token (over my app registration) => only some requests are working

The token seems to be valid some calls like /me are working, but all calls related to exchange like /me/contacts are failing with this error

Request, they work with token generated by Postman:**
Error:
{ "error": { "code": "MailboxNotEnabledForRESTAPI", "message": "REST API is not yet supported for this mailbox." } }

(that's a very generic error, and mostly don't say anything about the real issue)

Token Generation:

I create my token on the same way as Graph-Playground create the token (OAuth - Implicit flow):

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=token&state=test2&client_id=????&scope=openid%20profile%20User.Read%20email%20Contacts.Read&redirect_uri=????

Token - Analysis:

enter image description here

As a side note, it was working for a few days, nobody changed anything :)

So I have no idea, why the "Graph Playground" can create a working token, and my token only "partially" works. Can you help me?

There is already a thread, but I'm not the owner of it. Also there are no more responses... I can't provide a bounty for a foreign thread, that's why I create a new thread. You can find it here:

MailboxNotEnabledForRESTAPI - Microsoft Graph API integration with HMA Enabled on-premise server

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Cyril Iselin
  • 596
  • 4
  • 20
  • Please share the response info (requestid, timestamp) so that i can analyze!! – Dev Nov 20 '20 at 17:03
  • RequestId: c465e6ec-9a7c-4f18-bce5-69ef132402e7 Date: Sun, 22 Nov 2020 16:11:33 GMT ServerInfo:North-Europe,SliceC,Ring 4,ScaleUnit 002,RoleInstance AGSFE_IN_2 – Cyril Iselin Nov 22 '20 at 16:12
  • Unfortunately i dont see any records for the above. Please get me a new requestid, timestamp - try make a new API call so that you can get it!! Also please confirm whether the same API calls worked for you earlier and now not working? I see your statement "As a side note, it was working for a few days, nobody changed anything"; but just to validate with respect to the above API calls which are failing now. – Dev Nov 23 '20 at 09:29
  • Date: Mon, 23 Nov 2020 12:18:51 GMT | RequestId: a05145bb-b03c-402b-a0af-0c90b726ce1a | Url: https://graph.microsoft.com/v1.0/me/calendar After initial hybrid setup (begin of november) it was working. – Cyril Iselin Nov 23 '20 at 12:20
  • Interesting... As you aware it can happen when you're in preview feature, as they're not GA (General availability yet) - since we know that this is Exchange Hybrid deployment and accessing Graph API is still in preview. You can check - https://learn.microsoft.com/en-us/graph/hybrid-rest-support – Dev Nov 26 '20 at 18:39
  • In general, Preview features are features that aren't complete, but are made available on a "preview" basis so customers can get early access and provide feedback. Even in the above document there is a disclaimer telling that "The ability to use these REST APIs in hybrid deployments is currently in preview."... Being said that, if you hear back anything do share it here :) – Dev Nov 26 '20 at 18:39
  • 2
    @Dev this does not explain why everything works with the same credentials and the token requested by the playground – Manuel Amstutz Nov 26 '20 at 18:59
  • any news on this issue ? – Bronzato Dec 22 '20 at 19:20
  • I'm still working to get support :-) I buyed for 500 Dollar a "payed incident" from microsoft. The answer is still the same "sorry another department is responsible for this issue". (from azure dev support, from office support, ....). I will post updates here. – Cyril Iselin Dec 31 '20 at 09:36
  • New answer from microsoft : "the ticket has already escalated to the highest specialist department and the case is being processed". I will post updates here :) – Cyril Iselin Jan 20 '21 at 18:08

1 Answers1

0

I recognize your error, we see it in several cases (for Office 365):

  1. User has no Exchange license (probably not the case, since it works in the explorer).
  2. Customer tenant has setup additional security.

You can limit applications to certain mailboxes. Maybe there is some kind of setting or policy like this on your local Exchange as well, you have to connect to Exchange Online Powershell to set it, so maybe you can find something there. This is just a wild guess.

To track down this issue I would start checking the local Exchange logs.

Have you tried using the /users/{upn}/calendar endpoint? Maybe it's just that the /me/ part doesn't work.

Stephan
  • 2,356
  • 16
  • 38