This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 15%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHH%3C/text%3E%3C/svg%3E)
We have been using the EWS Item.Copy Operation for nearly 5 years. Since last week (Monday 26th of February 18:00 CET) this operation started failing for 2 of our 40 customers. No configuration has changed in Azure. App Secrets and API Permissions are setup correctly and consent has been given once more to be sure. We ask our customers to grant us 'full_access_as_app', which should be enough for the EWS Item.Copy Operation and this has been enough for years.
Unfortunately for 2 customers the EWS API is denying us acces. I can get the message to be copied and I can get the target folder I want to copy the message to. But a copy operation throws the following error:
reason="Access to this API requires the following permissions: 'MailExport-Internal.Read.All,MailExport-Internal.Read.Shared,MailExport-Internal.ReadWrite.All,MailExport-Internal.ReadWrite.Shared'. However, the application only has the following permissions granted: 'full_access_as_app'." error_category="invalid_grant"
Does anyone know how to fix this problem?
I have tested that I can get the message and target folder through the EWS API using Postman. I have renewed the App Secrets. I have checked all permissions requested and consent has been withdrawn and given to be sure. I have created a new mailbox to test if the target is an issue.
The problem still persists, even between other mailboxes and folders.
Likely related to this announcement: https://techcommunity.microsoft.com/t5/exchange-team-blog/retirement-of-rbac-application-impersonation-in-exchange-online/ba-p/4062671
Though the timelines they mentioned therein are not yet in effect... best open a support case to report this.
This forum post saved my day. Basically Microsoft had no idea what to do. We received instructions to register Service Principals in Exchange Admin, but we use Entra ID App Registrations to identity our application. So after 2 days of hell we've decided to refactor half of our application so we can use the MS Graph 'post message' endpoint and create copies of e-mails directly in the user mailboxes.
Apparently you need to apply 3 'SingleValueExtendedProperties' in order to create a non-draft e-mail.