0 votes
by (160 points)

Hello,
We are seeing following error while connecting to Office365.
We have implemented non-interactive/client credential flow.
What could be the reason behind this error?
I can see x-ms-diagnostics: 2000008;reason="The token contains not enough scope to make this call.";error_category="invalid_grant" header, is this because the appropriate API permissions are not assigned to the App or something else?

2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: Received response: 403 .
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: Received 28 headers.
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: Cache-Control: private
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: Content-Type: text/xml; charset=utf-8
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: Server: Microsoft-IIS/10.0
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: request-id: 828aac02-005f-6696-fcee-7ecc603d6e47
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: Alt-Svc: h3=":443",h3-29=":443"
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: X-CalculatedBETarget: SG2PR03MB5022.apcprd03.prod.outlook.com
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: X-BackEndHttpStatus: 403
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: Set-Cookie: XXXX
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: WWW-Authenticate: Bearer clientid="00000002-0000-0ff1-ce00-000000000000", trustedissuers="00000001-0000-0000-c000-000000000000@*", token_types="app_asserted_user_v1 service_asserted_app_v1", error="invalid_token"
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: X-RUM-Validated: 1
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: X-RUM-NotUpdateQueriedPath: 1
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: X-RUM-NotUpdateQueriedDbCopy: 1
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: x-ms-appId: XXXX
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: Restrict-Access-Confirm: 1
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: x-ms-diagnostics: 2000008;reason="The token contains not enough scope to make this call.";error_category="invalid_grant"
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: X-AspNet-Version: 4.0.30319
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: X-BeSku: WCS5
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: X-DiagInfo: SG2PR03MB5022
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: X-BEServer: SG2PR03MB5022
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: X-Proxy-RoutingCorrectness: 1
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: X-Proxy-BackendServerStatus: 403
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: X-FirstHopCafeEFZ: XSP
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: X-FEProxyInfo: SG2PR03CA0108.APCPRD03.PROD.OUTLOOK.COM
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: X-FEEFZInfo: XSP
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: X-Powered-By: ASP.NET
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: X-FEServer: SG2PR03CA0108
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: Date: Tue, 14 Mar 2023 11:22:56 GMT
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: Content-Length: 0
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: Response Content-Length: 0 bytes.
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: Response Connection not specified; using 'keep-alive'.
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: Response Content-Encoding not specified.
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: Response Transfer-Encoding not specified.
2023-03-14 19:22:57.010 DEBUG Ews(1)[3] HTTP: exchangecookie cookie: XXXX
2023-03-14 19:22:57.010 INFO Ews(1)[3] HTTP: Request failed: 403
2023-03-14 19:22:57.057 DEBUG Ews(1)[3] HTTP: Received content (0 bytes).
2023-03-14 19:22:57.057 DEBUG Ews(1)[3] HTTP: Closing response stream.
2023-03-14 19:22:57.119 ERROR Ews(1)[3] EWS: GetFolderId failed: System.Xml.XmlException: Root element is missing.
at System.Xml.XmlTextReaderImpl.Throw(Exception e)
at System.Xml.XmlTextReaderImpl.ParseDocumentContent()
at System.Xml.XmlTextReaderImpl.Read()
at idbot.quneu.znyhy(XmlReader p0)
at idbot.tfwxw.cutui(Stream p0)
at idbot.nvplb.kgnpx(Stream p0)
at idbot.nvplb.kclcy[T](String p0, Object p1)
at Rebex.Net.Ews.psqlp(EwsFolderId p0, srqvf p1)
at Rebex.Net.Ews.idbot.xuyqj.nlesa()
at Rebex.Net.Ews.ppgmj[T](String p0, Func1 p1, rafjh p2) 2023-03-14 19:22:57.119 ERROR Ews(1)[3] EWS: Login failed: Rebex.Net.EwsException: Root element is missing. ---> System.Xml.XmlException: Root element is missing. at System.Xml.XmlTextReaderImpl.Throw(Exception e) at System.Xml.XmlTextReaderImpl.ParseDocumentContent() at System.Xml.XmlTextReaderImpl.Read() at idbot.quneu.znyhy(XmlReader p0) at idbot.tfwxw.cutui(Stream p0) at idbot.nvplb.kgnpx(Stream p0) at idbot.nvplb.kclcy[T](String p0, Object p1) at Rebex.Net.Ews.psqlp(EwsFolderId p0, srqvf p1) at Rebex.Net.Ews.idbot.xuyqj.nlesa() at Rebex.Net.Ews.ppgmj[T](String p0, Func1 p1, rafjh p2)
--- End of inner exception stack trace ---
at Rebex.Net.Ews.ppgmj[T](String p0, Func1 p1, rafjh p2) at Rebex.Net.Ews.aswil(EwsFolderId p0) at Rebex.Net.Ews.idbot.fdvwo.xyvvf() at Rebex.Net.Ews.ppgmj[T](String p0, Func1 p1, rafjh p2)
2023-03-14 19:22:57.166 DEBUG Ews(1)[3] EWS: Executing Disconnect method.
2023-03-14 19:22:57.166 DEBUG Ews(1)[3] HTTP: Closing HTTP session (1).

Applies to: Rebex Secure Mail

1 Answer

0 votes
by (147k points)

Yes, this indicates that the EWS client has been able to authenticate, but the access token did not have appropriate permissions to use the EWS API.

The following articles describe the permissions needed:
https://blog.rebex.net/office365-ews-oauth-unattended (for unattended apps)
https://blog.rebex.net/oauth2-office365-rebex-mail (apps with signed-in users)

By the way, which version of Rebex EWS do you use? R6.8 (v6.0.8334) and later should report an error based on "The token contains not enough scope to make this call" instead of "Root element is missing" (which was actually true, but not very helpful).

by (160 points)
We are using V5.0.7486.2 version.
by (147k points)
Thanks, that explains the error message. We recommend upgrading to an up-to-date version, particularly if you use it to access the cloud-based Office365 EWS service. Recent versions not only improves error messages, but also enhances performance and fixes several issues: https://www.rebex.net/secure-mail.net/history.aspx
...