Microsoft365R get_business_outlook: "Forbidden (HTTP 403). Failed to complete operation. Message: Insufficient privileges to complete the operation."

Question

I am trying to access a shared mailbox that I have read/write permissions for through my business outlook account, using Microsoft365R's get_business_outlook function.

library(Microsoft365R)

tenant_id <- "example_tenant_id"
email <- "example@example.co.uk"

outl <- get_business_outlook(tenant_id, shared_mbox_email = email)

The first time I try this, I get the message:

Using authorization_code flow
Creating Microsoft Graph login for tenant 'example_tenant_id'
Using authorization_code flow
Waiting for authentication in browser...
Press Esc/Ctrl + C to abort
Authentication complete.
Error in process_response(res, match.arg(http_status_handler), simplify) :
Forbidden (HTTP 403). Failed to complete operation. Message:
Insufficient privileges to complete the operation.

On subsequent runs, I get:

Error in process_response(res, match.arg(http_status_handler), simplify) :
Forbidden (HTTP 403). Failed to complete operation. Message:
Insufficient privileges to complete the operation.

I have seen this answer to a similar issue, but the use of the app argument doesn't help:

app_id <- "example_app_id"

outl <- get_business_outlook(tenant_id, shared_mbox_email = email, app = app_id)

Loading Microsoft Graph login for tenant 'example_tenant_id'
Error in process_response(res, match.arg(http_status_handler), simplify) :
Forbidden (HTTP 403). Failed to complete operation. Message:
Insufficient privileges to complete the operation.

I have tried creating a token, with and without a resource argument:

library(AzureAuth)
# Without resource
tok <- get_azure_token("", tenant=tenant_id, app=app_id)

Using authorization_code flow
Loading cached token

outl <- get_business_outlook(tenant_id, shared_mbox_email = email, app = app_id, token = tok)

Error: Could not find Graph host URL

# With resource
resource <- "https://graph.microsoft.com/Mail.ReadWrite.Shared"
# Get azure token for app
tok <- get_azure_token(resource, tenant=tenant_id, app=app_id)

This opens a browser window, prompts me to login using SSO and brings up the text 'Not found'.

Like the poster of the linked question, I am new to Graph API and lots of the Azure terminology used, so I may be missing something obvious. Any help is appreciated.

Answer 1

The error 403 Forbidden usually occurs if you don't have required permissions or roles to perform the operation.

I tried to reproduce the same in my environment via Postman and got same error as below

GET https://graph.microsoft.com/v1.0/users/<usermail.com>/messages

To resolve the error, make sure to add below Delegated permission and grant admin consent:

Now I generated access token again using authorization code flow with below parameters:

POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:<appID>
grant_type:authorization_code
scope:https://graph.microsoft.com/Mail.ReadWrite.Shared
code:code
redirect_uri:https://jwt.ms
client_secret:secret

When I used the above token to access shared mailbox, I got the response successfully like below:

In your case, make sure to grant admin consent for API permissions in your Azure AD application.

If you want to generate v1 token, then remove scope name at the end of resource in code like below:

library(AzureAuth)
token <- get_azure_token("https://graph.microsoft.com", tenant="yourtenant", app="yourappid")

Include version parameter if you want to generate v2 token like below:

library(AzureAuth)
token <- get_azure_token("https://graph.microsoft.com/Mail.ReadWrite.Shared", tenant="yourtenant", app="yourappid", version=2)

If still the error persists, acquire administrator role and try the same by signing with admin credentials.

Reference: Common authentication scenarios (r-project.org)