How to read emails from an external user who consented to my Microsoft app?

Brosk Mohammad 20 Reputation points
2024-07-06T23:45:20.56+00:00

I am reading emails using the graph api application from users in my organization using this endpoint: 

endpoint = f"https://graph.microsoft.com/v1.0/users/demo@mydomain.com/mailFolders/inbox/messages"

Now I have an external user who consented to my app but for some reason, I keep getting an invalid user when I call the same endpoint with his email. What are the extra steps to be able to read his emails after his consent, and what is the external user's endpoint?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,002 questions
0 comments
Accepted answer
  1. mikelydick 76 Reputation points
    2024-07-07T01:30:03.1533333+00:00

    Troubleshooting

    If you encounter issues, ensure:

    • The external user has properly consented to the app.
    • The app is configured as multi-tenant.
    • The correct permissions are granted.
    • The access token is valid and includes the required scopes.

    By following these steps, you should be able to read emails from an external user who has consented to your app using the Microsoft Graph API.

    1. Assumed...
    2. Configure Your App as Multi-Tenant
    • To allow external users to authenticate and consent to your app, you need to configure your app as a multi-tenant application. This allows users from other Azure AD tenants to access your application.
      • Steps:
        • Go to the Azure portal.
        • Navigate to Azure Active Directory > App registrations.
        • Select your app registration.
        • Under Authentication, ensure that the Supported account types is set to "Accounts in any organizational directory (Any Azure AD directory - Multitenant)".
    1. Obtain Authorization Code and Access Token External users need to authenticate and provide consent to your app. To obtain an access token, you will use the OAuth 2.0 authorization code flow. Let us know if you need an example.
    2. Use the Correct Endpoint for External Users For external users, you need to use the**/me**endpoint instead of specifying the user's email directly. This ensures that the API call is made in the context of the authenticated user. Endpoint: 
         plaintext
   https://graph.microsoft.com/v1.0/me/mailFolders/inbox/messages
    3. Ensure Proper Permissions
    • Make sure your app has the necessary permissions to read emails. The required permissions are Mail.Read for delegated access.
    • Steps:
      • Go to Azure Active Directory > App registrations.
      • Select your app registration.
      • Under API permissions, ensure that Mail.Read is granted and admin consented.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Yakun Huang-MSFT 4,640 Reputation points Microsoft Vendor
    2024-07-08T01:26:38.9633333+00:00

    Hi @Brosk Mohammad

    The invalid user is because the user does not have the MS 365 License, please check the user's License in Azure, if not, please grant the MS 365 License, as shown in the following figure:

    User's image

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.