How to get Graph API access token & read count of incoming mails of entire organization?

Question

I'm trying to read count of incoming mails in the organization & users in it. I tried below code in console app. but on this line - var users = await graphServiceClient.Users.Request().GetAsync(); application stopes running.

1. So, Why this's happening?(I tried with debugger but no error)

2. A format of .WithAuthority is right?

3. Is there any alternate way to access graph api token & read count of incoming mails in all over organization? If yes then please help me with sample code.

    var confidentialClient = ConfidentialClientApplicationBuilder.Create(clientId).WithAuthority($"https://login.microsoftonline.com/$token/v2.0").WithClientSecret(clientSecret).Build();
   
    GraphServiceClient graphServiceClient =
    new GraphServiceClient(new DelegateAuthenticationProvider(async (requestMessage) => {
   
   
    var authResult = await confidentialClient.AcquireTokenForClient(scopes).ExecuteAsync();
   
   requestMessage.Headers.Authorization =
   new AuthenticationHeaderValue("Bearer", authResult.AccessToken);}));
   
    var users = await graphServiceClient.Users.Request().GetAsync();
   
   foreach (Microsoft.Graph.User item in users)
   {
   
   Console.WriteLine(item.DisplayName);
   }
   
   Console.WriteLine(users.Count);
   

Thanks!

Answer 1

In Ms graph api, we don't have an API which can query all the emails in the entire organization, we only have a list message API for obtaining emails of a specific user. And some user in the organization wants to get other users' email, we need to have application API permission normally which mentioned in the document:

There are two scenarios where an app can get messages in another user's mail folder:

If the app has application permissions, or, If the app has the appropriate delegated permissions from one user, and another user has shared a mail folder with that user, or, has given delegated access to that user. See details and an example.

About the application api permission, it's one of the 2 kinds of permissions. Delegated API permission means user needs to sign in to get the authorization, and the authorization allow the user to access his own resource. Application API permission means the application is asking for the authorization, and this authorization allows the application to access all resources of all users in the tenant.

For this API, we need to have Mail.ReadBasic.All, Mail.Read, Mail.ReadWrite application API permissions.

Then we can use code(based on the latest graph SDK) like this to get email count for a specific user:

using Microsoft.Graph;
using Azure.Identity;

var scopes = new[] { "https://graph.microsoft.com/.default" };
var tenantId = "tenant_name.onmicrosoft.com";
var clientId = "aad_app_id";
var clientSecret = "client_secret";
var clientSecretCredential = new ClientSecretCredential(
                tenantId, clientId, clientSecret);
var graphClient = new GraphServiceClient(clientSecretCredential, scopes);

var result = await graphClient.Users["{user-id}"].Messages.GetAsync((requestConfiguration) =>
{
    requestConfiguration.QueryParameters.Count = true;
});

Then using the loop to add the total message count. By the way, graphServiceClient.Users.Request().GetAsync(); will return all the users in the tenant, but I think not each user has a mail license.

Ms Graph API can only access resource in the tenant, for example, you invite my account into your tenant and my account is my outlook email([email protected]), I have many emails in this email address, but you can't get any email information via the API.

That's because when you invite my account into your tenant, my account will have a principle like tiny_outlook.com#EXT#@yourTenantName.onmicrosoft.com, and you also need to add a license(e.g. M365 E3 license will give email feature) to this principle, and then the API can query emails for this principle. If you don't assign such kind of license, this principle will not have an email address so that there won't be any email for this principle.