Get PP_E_RPS_REASON_OFFERACTIONS_INVALID error key

Question

I use GraphServiceClient

When I try to call:

var currentUser = await _graphServiceClient.Me.Request().GetAsync();

It works.

BUT when I try to call:

var inbox = await _graphServiceClient.Me.Messages.Request().GetAsync();

I receive:

ServiceException: Code: InvalidMsaTicket Message: ErrorCode: 'PP_E_RPS_REASON_OFFERACTIONS_INVALID'. Message: ''

why so? What is wrong?

ADDED:

When I registered new application, I selected "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)" from Supported account types

In result I have:

client secrets:

the following authentication:

and API permissions:

my application has the following auth:

and the same permissions:

My appsettings.json:

{
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "https://spoutlookdev.azurewebsites.net",
    "TenantId": "common",
    "ClientId": "2505a5*************5eb",
    "ClientSecret": "Upw8Q~************-UKCa2s",
    "ClientCertificates": [
    ],
    "ClientCapabilities": [ "cp1" ],
    "CallbackPath": "/signin-oidc"
  },
  "DownstreamApi": {
    "BaseUrl": "https://graph.microsoft.com/v1.0",
    //"Scopes": "mail.read mail.readbasic mail.readbasic.all mail.readwrite user.read"
    "Scopes": "user.read Mail.Read Mail.ReadBasic Mail.ReadWrite email profile"
  },
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "AllowedHosts": "*"
}

and Program.cs:

using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.Identity.Web;

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddRazorPages();

builder.Services.AddServerSideBlazor()
    .AddMicrosoftIdentityConsentHandler()
    ;

var config = builder.Configuration;

string[]? initialScopes = config.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(config.GetSection("AzureAd"))
    .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
    .AddMicrosoftGraph(config.GetSection("DownstreamApi"))
    .AddInMemoryTokenCaches();

var app = builder.Build();

// Configure the HTTP request pipeline.
if (!app.Environment.IsDevelopment())
{
    app.UseExceptionHandler("/Error");
    // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
    app.UseHsts();
}

app.UseHttpsRedirection();
app.UseStaticFiles();

app.UseRouting();

app.UseAuthentication();
app.UseAuthorization();

app.MapRazorPages();

app.Run();

NOTE: when it asks permissions, it asks only for base (profile and email), but not asking to read mails. Is it ok?

What means "Status" in permissions? Some of them marked "Granted for 3MD", some of them - no. Could it affect?

Answer 1

Could you please try by using Microsoft Graph Explorer and check URl -https://graph.microsoft.com/v1.0/me/messages , if stills it won't work ,let us know what error you were getting .Also try check with the other user , if its user specific or not?