MS Graph API: invalid authentication token

I'm trying to use the Microsoft Graph API to query an Outlook/O365 mailbox for messages. I registered my app in the Azure portal and received the necessary information to query the API. The app has the Mail.Read permission. (I don't have access to the Azure portal, I was told it was set up this way.) When I get my token from the OAuth endpoint, however, it doesn't work in any subsequent calls. I'm using Python's requests module for testing right now.

Why is this call failing? It seems like I'm passing all of the correct information but I'm clearly missing something.

I'm getting the token by performing a POST on:

https://login.microsoftonline.com/my.domain/oauth2/token

I pass the necessary parameters:

data = {'grant_type': 'client_credentials', 'client_id': CLIENTID, 'client_secret': SECRET, 'resource': APPURI}

and I get a response like this:

{
    'resource': 'APPURI',
    'expires_in': '3599',
    'ext_expires_in': '3600',
    'access_token': 'TOKENHERE',
    'expires_on': '1466179206',
    'not_before': '1466175306',
    'token_type': 'Bearer'
}

I try to use that token, however, and it doesn't work for anything I call. I'm passing it as a header:

h = {'Authorization': 'Bearer ' + TOKEN}

I'm calling this URL:

url = 'https://graph.microsoft.com/v1.0/users/[email protected]/messages'

Specifically, I use this:

r = requests.get(url, headers=h)

The response is a 401:

{
    'error': {
        'innerError': {
            'date': '2016-06-17T15:06:30',
            'request-id': '[I assume this should be removed for privacy]'
         },
         'code': 'InvalidAuthenticationToken',
         'message': 'Access token validation failure.'
     }
}

I'm trying to set up a task on my web app that will periodically check a specific mailbox for new emails and process attachments on them. Sounds like I'm going about it the wrong way then.

This will work but you'll need to either get a token using that mailbox's credentials or use an account with administrative privileges.

Hope it's okay to piggyback off of this. We can't figure out where to generate the credentials under the account; can't log into the portal because it's not an administrator account. Where would we do that?

The app information created in the URL provided in the other answer by Xiaomin returns this from the oauth endpoint: Application 'IDHERE' is not supported for this API version. Must not be the correct way to do it.

If you're registering at apps.dev.microsoft.com then make sure you are also using the v2 Endpoint. For classic Azure AD integration (aka v1) you need to register within your Azure AD instance and use the ID and secret from there.

Note that switching to v2 will not get around the Admin requirement for other user mailboxes.

Hmm... we're trying to use the classic integration, but can't find a way to register it under a specific user. The apps appear to be created globally. The account can't log into the portal because it isn't an administrator. The person who created the credentials originally is an administrator but they still don't work.

You don't register an app to a specific user. You register an app to Azure AD and the actual user authenticates using OAUTH. OAUTH has 3 components - the "User" with a User ID, the "App" with an App ID, and a "Provider" which authenticates both the "User" (via the user's credentials) and the "App" (via the app's registration ID). In order to access remote mailboxes the "User" must be an Admin.

Let us continue this discussion in chat.

How to specify more than one resource there ?

This won't be of help. The page says - "Application registrations portal has been deprecated for registering and managing converged applications since May 2019 and this functionality will be removed starting September 2019. We recommend that you manage your existing applications and register new applications by using the App registrations (now Generally Available) experience in the Azure portal."