Description
Describe the bug
I'm trying to use the powershell cmdlet Get-MgUserMailboxSetting and Update-MgUserMailboxSetting to automate work flow in my organization, however, I'm receiving access denied errors despite granting the correct permissions and consenting on behalf of my organization.
I've attempted to use Graph Explorer and unfortunately the same issue occurs there too.
Upon checking the permission details for Get-MgUserMailboxSetting, I'm led to believe this is unintended behavior:
The permissions descriptions for MailboxSettings.Read and MailboxSettings.ReadWrite explicitly state access to all users, however, it's only working on the user which had authenticated the application to begin with.
Reading around, I've came across multiple others experiencing this issue and other GitHub issues within this repo. The general consensus is that you need to register an application and authenticate with application permissions as opposed to delegated permissions, but again, the permission descriptions imply otherwise.
https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal
https://stackoverflow.com/questions/54767695/error-access-denied-on-mailboxsettings-for-users
MartinM85/graph-mailbox-user-purpose#1
#2120
Here's an example of the powershell code I am running:
$scopes = @(
"Chat.ReadWrite.All"
"Directory.Read.All"
"Group.Read.All"
"Mail.ReadWrite"
"People.Read.All"
"Sites.Manage.All"
"User.Read.All"
"User.ReadWrite.All",
"MailboxSettings.ReadWrite"
)
Connect-MgGraph -Scopes $scopes
$UserId = "[email protected]"
Get-MgUserMailboxSetting -UserId $UserIdThe sign in / authentication process:
I am authenticating with a Global Administrator account and attempting to access the mailbox settings of a regular licensed user.
Error:
Get-MgUserMailboxSetting : Access is denied. Check credentials and try again.
Status: 403 (Forbidden)
ErrorCode: ErrorAccessDenied
Date:
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 00c23911-9b70-4660-a58e-dcd1600c71d3
client-request-id : 57dbe463-3d02-448d-9cce-446e76efb0af
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Australia Southeast","Slice":"E","Ring":"3","ScaleUnit":"001","RoleInstance":"ML1PEPF00004AFC"}}
Cache-Control : private
Date : Sat, 21 Sep 2024 12:19:54 GMT
At <>
+ Get-MgUserMailboxSetting -UserId $UserId
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: ({ UserId = djon... , Headers = }:<>f__AnonymousType14`4) [Get-MgUserMailboxSetting_Get], Exception
+ FullyQualifiedErrorId : ErrorAccessDenied,Microsoft.Graph.PowerShell.Cmdlets.GetMgUserMailboxSetting_Get
As I mentioned earlier, I've done the exact same process using Graph Explorer, even consenting to the application on behalf of my organization within Entra
Expected behavior
I should, according to the permission descriptions for MailboxSettings.ReadWrite, be able to read and write mailbox settings for all users within an organization with delegated scopes.
How to reproduce
Execute:
$scopes = @(
"Chat.ReadWrite.All"
"Directory.Read.All"
"Group.Read.All"
"Mail.ReadWrite"
"People.Read.All"
"Sites.Manage.All"
"User.Read.All"
"User.ReadWrite.All",
"MailboxSettings.ReadWrite"
)
Connect-MgGraph -Scopes $scopes
$UserId = "[email protected]"
Get-MgUserMailboxSetting -UserId $UserIdAuthenticate with a Global Administrator account and select "Consent on behalf of your organization"
SDK Version
2.23.0
Latest version known to work for scenario above?
Unknown, appears to be a long term issue with many reports and no official solution besides application permissions which again, the permission description implies is not needed
Known Workarounds
Unconfirmed, however, other users have reported this working with application permissions as opposed to delegated scope permissions.
Debug output
Click to expand log
DEBUG: [CmdletBeginProcessing]: - Get-MgUserMailboxSetting begin processing with parameterSet 'Get'.
Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): Y
DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'.
Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): Y
DEBUG: [Authentication]: - Scopes: [Chat.ReadWrite.All, Directory.Read.All, Group.Read.All, Mail.ReadWrite, MailboxSettings.ReadWrite, openid, People.Read.All, profile, Sites.Manage.All, User.Read.All, User.ReadWrite.All, email].
Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): Y
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://graph.microsoft.com/v1.0/users/[redacted]@[redacted].onmicrosoft.com/mailboxSettings
Headers:
FeatureFlag : 00000043
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.22621; en-AU),PowerShell/2024.2.2
Accept-Encoding : gzip
SdkVersion : graph-powershell/2.23.0
client-request-id : e472c51a-522c-409f-82f9-3ae8332774d4
Body:
Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): Y
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Forbidden
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : b17b5a7b-9d93-4fe6-bb0a-48ed00c4c7c5
client-request-id : e472c51a-522c-409f-82f9-3ae8332774d4
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Australia Southeast","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"ML1PEPF0000ED78"}}
Cache-Control : private
Date : Sat, 21 Sep 2024 13:47:03 GMT
Body:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again."
}
}
Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): A
Confirm
Access is denied. Check credentials and try again.
Status: 403 (Forbidden)
ErrorCode: ErrorAccessDenied
Date:
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : b17b5a7b-9d93-4fe6-bb0a-48ed00c4c7c5
client-request-id : e472c51a-522c-409f-82f9-3ae8332774d4
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Australia Southeast","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"ML1PEPF0000ED78"}}
Cache-Control : private
Date : Sat, 21 Sep 2024 13:47:03 GMT
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): A
SkuId Name
----- ----
3b555118-da6a-4418-894f-7df1e2096870 Microsoft 365 Business Basic
Get-MgUserMailboxSetting : Access is denied. Check credentials and try again.
Status: 403 (Forbidden)
ErrorCode: ErrorAccessDenied
Date:
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : b17b5a7b-9d93-4fe6-bb0a-48ed00c4c7c5
client-request-id : e472c51a-522c-409f-82f9-3ae8332774d4
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Australia Southeast","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"ML1PEPF0000ED78"}}
Cache-Control : private
Date : Sat, 21 Sep 2024 13:47:03 GMT
At <>
+ Get-MgUserMailboxSetting -UserId $UserId -Debug
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: ({ UserId = djon... , Headers = }:<>f__AnonymousType14`4) [Get-MgUserMailboxSetting_Get], Exception
+ FullyQualifiedErrorId : ErrorAccessDenied,Microsoft.Graph.PowerShell.Cmdlets.GetMgUserMailboxSetting_Get
DEBUG: [CmdletEndProcessing]: - Get-MgUserMailboxSetting end processing.
Configuration
PSVersion 5.1.22621.963
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.22621.963
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Other information
No response