Office 365 API ErrorAccessDenied (Access is denied. Check credentials and try again.)
Thanks for your question and sorry to hear about the trouble you are having with your first app. Can you please check the permissions for Office 365 Exchange Online and make sure the permission "Have full access to a user's mailbox" is NOT selected? See attached image for more details.
This is meant for access to a user's mailbox using an older API called Exchange Web Services, and not intended for Office 365 REST APIs. I think you are getting "Access Denied" for your REST API request because you may have selected this permission.
Let me know if you are still seeing an issue after removing this permission. Let me know if you have any questions or need more info.
Thanks,
Venkat
KardanovIR
Developer Advocate @ Waves Platform, software engineer. Blockchain, ML&AI developer. All opinions are my own.
Updated on August 05, 2022Comments
-
KardanovIR over 1 year
I'm trying to build me first app with office 365 API and have one big problem.
I'm trying to get main info about user with Office 365 API and Azure Active Directory and for that I'm doing:
1) Get access token. The http post request to https://login.windows.net/common/oauth2/token for token:
HEADERS: Content-Type: application/x-www-form-urlencoded
POST DATA:
grant_type = authorization_code client_id = *my_client_id* client_secret = *my_client_secret* session_state = e5fb6cd5-28f7-4dfc-b793-9ce8522534ac code = *code_that_i_got_to_my_callback_url* resource = https://outlook.office365.com/
I get response with access_token, refresh_token, id_token, resource etc.
2) I'm trying to get main info about user with access token:
Get request to https://outlook.office365.com/api/v1.0/me with
HEADERS:
client-request-id: *some_random_id* return-client-request-id: true, authorization: 'Bearer ' + *access_token* Accept: '*/*'
But I get:
{ error: { code: 'ErrorAccessDenied', message: 'Access is denied. Check credentials and try again.' } }
My app in AAD has max permissions for everything (sorry for russian):
I'm doing everything like here: http://blogs.msdn.com/b/exchangedev/archive/2014/03/25/using-oauth2-to-access-calendar-contact-and-mail-api-in-exchange-online-in-office-365.aspx
And the most interesting moment is that one week ago everything worked good (except that sometimes response time was about 30 sec) and I could get information about users.
And last thing. On that page (http://blogs.msdn.com/b/exchangedev/archive/2014/03/25/using-oauth2-to-access-calendar-contact-and-mail-api-in-exchange-online-in-office-365.aspx) you can find request to https://login.windows.net/common/oauth2/token with parameter prompt=admin_consent. It was working also week ago, but now if you try you'll get Bad Request (400).
-
Benjamin Fox over 9 yearsIs this permission going to be removed or renamed? It's currently a bit misleading!
-
Venkat Ayyadevara - MSFT over 9 yearsHi Benjamin Fox, We are going to rename the permission to make it clearer. And we are investigating if we can make a service-side change to ignore this permission and not return an Access Denied error when a REST API request is received with a token including "Full Access" permission. Hope that helps. Thanks, Venkat
-
Ian Jowett over 5 yearsI am having a similar issue, where do I see this setting on Azure?
-
Teodor Głaz over 3 yearsI had the same problem, and then, after removing the check from the checkbox I get 401 unauthorized when I'm retrieving an item using BindToItem. I use Oauth to authenticate