When obtaining a token, make sure you use the "https://outlook.office365.com" resource, not the "standard" Graph one. If possible, decode the token (you can use jwt.ms for that) and paste the result here.
Need roles and permissions informations for exchange admin reporting API's
WARNING! There was an error parsing the document
Hi,
I am using MSAL library for Authentication and for exchange messageTrace endpoint using API https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace
This API throwing below below 401 - Unauthorized error.
Job failed with type: UnauthorizedFailure ; Message: Reason: Full error: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/> <title>401 - Unauthorized: Access is denied due to invalid credentials.</title> <style type="text/css"> <!-- body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;} fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF; background-color:#555555;} #content{margin:0 0 0 2%;position:relative;} .content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;} --> </style> </head> <body> <div id="header"><h1>Server Error</h1></div> <div id="content"> <div class="content-container"><fieldset> <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2> <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3> </fieldset></div> </div> </body> </html> ; Details: Error code: 401
Below are configuration I have used.
- Create a Entra Application.
Provided API (Office 365 Exchange Online- ReportingWebService.Read.All) Permission. for a same application I have generated Client secrets. provided client id ,client secrets and tenant id information for authentication.
- Roles and administrators - selected 'Global Reader' Role added Microsoft Entra ID application as member
3.On exchange admin portal https://admin.exchange.microsoft.com/#/adminRoles
for a Role Group, assigned Global Reader role with selected below 3 Permissions. i). Data Loss Prevention
ii). View Only Configuration
iii). View Only Recipients
- User used on Azure portal has the Global Administrator access.
Still i'm getting a above 401 - Unauthorized Access is denied due to invalid credentials.
is it possible to block API permission access in case we are using some different Conditional Access policies on Microsoft Entra admin center portal
will this above permissions works in case of two different user used on Azure portal and exchange admin portal ?
Please to know the root cause behind this and need to know exact configuration settings/permissions required on Microsoft side. Thanks in Advance...!!