Microsoft Graph returns "The token contains no permissions, ..." when using app-only token

Question

Using Postman, I am trying to retrieve the last emails received in my Outlook mailbox.

To achieve this, I have declared my app in the App Portal. Then, I can do a GET request to get a token from the endpoint:

https://login.microsoftonline.com/[tenantId]/oauth2/token

Next, I try to use the token I received to perform a request at

https://graph.microsoft.com/v1.0/me/mailfolders/inbox/messages

The problem is that the API returns:

{
  "code": "NoPermissionsInAccessToken",
  "message": "The token contains no permissions, or permissions can not be understood.",
}

In the permissions of my app, I have authorized every action related to reading emails. Am I missing something?

Answer 1

I was actually missing admin approval for the scopes (read.mail in my case). In a App-Only usage, you need to get approval from admin. To do so, admin must use this url:

https://login.microsoftonline.com/common/adminconsent?client_id=[your_client_id]&state=[random_string]&redirect_uri=http://localhost/

Admin will be prompt to approve permissions.