Get-MgUserMailboxSetting Access Denied with Delegated Scopes

[ross-r]

Describe the bug

I'm trying to use the powershell cmdlet Get-MgUserMailboxSetting and Update-MgUserMailboxSetting to automate work flow in my organization, however, I'm receiving access denied errors despite granting the correct permissions and consenting on behalf of my organization.

I've attempted to use Graph Explorer and unfortunately the same issue occurs there too.

Upon checking the permission details for Get-MgUserMailboxSetting, I'm led to believe this is unintended behavior:

The permissions descriptions for MailboxSettings.Read and MailboxSettings.ReadWrite explicitly state access to all users, however, it's only working on the user which had authenticated the application to begin with.

Reading around, I've came across multiple others experiencing this issue and other GitHub issues within this repo. The general consensus is that you need to register an application and authenticate with application permissions as opposed to delegated permissions, but again, the permission descriptions imply otherwise.

https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal
https://stackoverflow.com/questions/54767695/error-access-denied-on-mailboxsettings-for-users
MartinM85/graph-mailbox-user-purpose#1
#2120

Here's an example of the powershell code I am running:

$scopes = @(
    "Chat.ReadWrite.All"
    "Directory.Read.All"
    "Group.Read.All"
    "Mail.ReadWrite"
    "People.Read.All"
    "Sites.Manage.All"
    "User.Read.All"
    "User.ReadWrite.All",
    "MailboxSettings.ReadWrite"
)

Connect-MgGraph -Scopes $scopes
$UserId = "[email protected]"
Get-MgUserMailboxSetting -UserId $UserId

The sign in / authentication process:

I am authenticating with a Global Administrator account and attempting to access the mailbox settings of a regular licensed user.

Error:

Get-MgUserMailboxSetting : Access is denied. Check credentials and try again.
Status: 403 (Forbidden)
ErrorCode: ErrorAccessDenied
Date:
Headers:
Transfer-Encoding             : chunked
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : 00c23911-9b70-4660-a58e-dcd1600c71d3
client-request-id             : 57dbe463-3d02-448d-9cce-446e76efb0af
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"Australia Southeast","Slice":"E","Ring":"3","ScaleUnit":"001","RoleInstance":"ML1PEPF00004AFC"}}
Cache-Control                 : private
Date                          : Sat, 21 Sep 2024 12:19:54 GMT
At <>
+ Get-MgUserMailboxSetting -UserId $UserId
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: ({ UserId = djon... , Headers =  }:<>f__AnonymousType14`4) [Get-MgUserMailboxSetting_Get], Exception
    + FullyQualifiedErrorId : ErrorAccessDenied,Microsoft.Graph.PowerShell.Cmdlets.GetMgUserMailboxSetting_Get

As I mentioned earlier, I've done the exact same process using Graph Explorer, even consenting to the application on behalf of my organization within Entra

Expected behavior

I should, according to the permission descriptions for MailboxSettings.ReadWrite, be able to read and write mailbox settings for all users within an organization with delegated scopes.

How to reproduce

Execute:

$scopes = @(
    "Chat.ReadWrite.All"
    "Directory.Read.All"
    "Group.Read.All"
    "Mail.ReadWrite"
    "People.Read.All"
    "Sites.Manage.All"
    "User.Read.All"
    "User.ReadWrite.All",
    "MailboxSettings.ReadWrite"
)

Connect-MgGraph -Scopes $scopes
$UserId = "[email protected]"
Get-MgUserMailboxSetting -UserId $UserId

Authenticate with a Global Administrator account and select "Consent on behalf of your organization"

SDK Version

2.23.0

Latest version known to work for scenario above?

Unknown, appears to be a long term issue with many reports and no official solution besides application permissions which again, the permission description implies is not needed

Known Workarounds

Unconfirmed, however, other users have reported this working with application permissions as opposed to delegated scope permissions.

Debug output

Click to expand log

DEBUG: [CmdletBeginProcessing]: - Get-MgUserMailboxSetting begin processing with parameterSet 'Get'.

Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): Y
DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'.

Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): Y
DEBUG: [Authentication]: - Scopes: [Chat.ReadWrite.All, Directory.Read.All, Group.Read.All, Mail.ReadWrite, MailboxSettings.ReadWrite, openid, People.Read.All, profile, Sites.Manage.All, User.Read.All, User.ReadWrite.All, email].

Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): Y
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/v1.0/users/[redacted]@[redacted].onmicrosoft.com/mailboxSettings

Headers:
FeatureFlag                   : 00000043
Cache-Control                 : no-store, no-cache
User-Agent                    : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.22621; en-AU),PowerShell/2024.2.2
Accept-Encoding               : gzip
SdkVersion                    : graph-powershell/2.23.0
client-request-id             : e472c51a-522c-409f-82f9-3ae8332774d4

Body:



Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): Y
DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Forbidden

Headers:
Transfer-Encoding             : chunked
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : b17b5a7b-9d93-4fe6-bb0a-48ed00c4c7c5
client-request-id             : e472c51a-522c-409f-82f9-3ae8332774d4
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"Australia Southeast","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"ML1PEPF0000ED78"}}
Cache-Control                 : private
Date                          : Sat, 21 Sep 2024 13:47:03 GMT

Body:
{
  "error": {
    "code": "ErrorAccessDenied",
    "message": "Access is denied. Check credentials and try again."
  }
}


Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): A

Confirm
Access is denied. Check credentials and try again.

Status: 403 (Forbidden)
ErrorCode: ErrorAccessDenied
Date:

Headers:
Transfer-Encoding             : chunked
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : b17b5a7b-9d93-4fe6-bb0a-48ed00c4c7c5
client-request-id             : e472c51a-522c-409f-82f9-3ae8332774d4
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"Australia Southeast","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"ML1PEPF0000ED78"}}
Cache-Control                 : private
Date                          : Sat, 21 Sep 2024 13:47:03 GMT

[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): A
SkuId                                Name
-----                                ----
3b555118-da6a-4418-894f-7df1e2096870 Microsoft 365 Business Basic
Get-MgUserMailboxSetting : Access is denied. Check credentials and try again.
Status: 403 (Forbidden)
ErrorCode: ErrorAccessDenied
Date:
Headers:
Transfer-Encoding             : chunked
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : b17b5a7b-9d93-4fe6-bb0a-48ed00c4c7c5
client-request-id             : e472c51a-522c-409f-82f9-3ae8332774d4
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"Australia Southeast","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"ML1PEPF0000ED78"}}
Cache-Control                 : private
Date                          : Sat, 21 Sep 2024 13:47:03 GMT
At <>
+ Get-MgUserMailboxSetting -UserId $UserId -Debug
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: ({ UserId = djon... , Headers =  }:<>f__AnonymousType14`4) [Get-MgUserMailboxSetting_Get], Exception
    + FullyQualifiedErrorId : ErrorAccessDenied,Microsoft.Graph.PowerShell.Cmdlets.GetMgUserMailboxSetting_Get
DEBUG: [CmdletEndProcessing]: - Get-MgUserMailboxSetting end processing.

Configuration

PSVersion 5.1.22621.963
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.22621.963
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

Other information

No response

[supajo]

I can confirm the exact same issue on my side.
Also i can not run this under a Azure Automation Runbook with Sysem Assigned Managed Identity

[ross-r]

I can confirm the exact same issue on my side. Also i can not run this under a Azure Automation Runbook with Sysem Assigned Managed Identity

Yep, this seems to be a long running issue since MailSettings was added to Microsoft Graph which is disappointing. I'd love to spend the time transitioning to Graph but until these issues are fixed, better yet, even acknowledged seriously, I don't see a point.

Creating an application within Entra for this specific thing is not a solution as delegation for the same tasks has worked fine in past APIs from Microsoft, nor is it a solution at a enterprise level for MSPs supporting many organizations.