Troubleshooting

Access Denied errors

401

If you receive a 401 error, then this implies that the credentials being used to connect to the mailbox are not valid. Check the credentials (if using delegated access, the username and password entered were likely wrong; for app registration, check the secret key or certificate).

403

403 implies that the credentials are valid, but those credentials do not have permission to access the resource.

In some environments, there may be policies configured to control access to mailboxes via EWS and Graph. If this is the case, you may receive a 403 error when attempting to use the script using application permissions. To resolve this, whatever policy is blocking access will need to be modifed to allow the application access. Below are some different methods of controlling access, all of which can result in a 403 depending which policies apply to the application.

https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac

https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access

https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview