Microsoft Graph API "Access is denied" while trying to read the ItemAttachment Properties with $expand(microsoft.graph.itemattachment/item)

Question

I am trying to retrieve the properties of an ItemAttachment, which is of message type. I have given all the required permissions and able to receive the ItemAttachment properties. But when I use $expand to get further properties of the ItemAttachment message. I am getting Access Denied Error.

For what I have read it says that you need Mail.read permission which I have already given to my Azure AD application for Graph API and I am able to fetch all the messages but only when I try to use $expand to get the properties for the ItemAttachment which is of message type I am getting Access Denied.

I couldn't find any thing related to specific permissions that might be required for this to work on the microsoft doc (https://learn.microsoft.com/en-us/graph/api/attachment-get?view=graph-rest-1.0&tabs=java).

I also referred to a similar post (How to retrieve contents of an itemAttachment via the Microsoft Graph API) and do not find anything either.

Below are the details:

Java Code:

graphClient.me().messages(messageId).attachments(attachmentId)
                .buildRequest()
                .expand("microsoft.graph.itemattachment/item")
                .get();

This generates a REST call something like below :

GET https://graph.microsoft.com/v1.0/me/messages/A2zjArAAA=/attachments/5AlfysT-Cz27w=?$expand=microsoft.graph.itemattachment/item

But I am getting below "Access Denied" error.

403 : Forbidden
Cache-Control : private
Content-Length : 101
Content-Type : application/json; odata.metadata=minimal; odata.streaming=true; IEEE754Compatible=false; charset=utf-8
{
  "error": {
    "code": "ErrorAccessDenied",
    "message": "Access is denied. Check credentials and try again."
  }
}

I have the following permissions for my application Azure Active Directory Application :

The microsoft graph API SdkVersion that I am using is : graph-java/v2.3.1.

I am not sure if I am missing anything here. Appreciate if anybody can please guide me towards a solution for this .

Answer 1

As Shiva mentioned in comments, you use graphClient.me() in your code, but you assign Mail.Read permission of "Application" type. If assign "Application" type permission, it just requires client_id, scope, client_secret, grant_type to get access token. So the access token doesn't contain user info, ad do not know who is me, so the code graphClient.me() can't be recognized.

If you want to run the code(graphClient.me()...) success, you need to add permission Mail.Read in "Delegated" type but not "Application" type (follow the steps in below screenshot and also do not forget do grant admin consent).

Answer 2

As you are using application permissions it seams like you have a daemon application and the flow that you use for daemon applications will produce App token. This doesn't recognise /me because there is no user here. So try using /users/{userid}/messages.