I have been working with Microsoft Planner using Graph API and getting the error message ErrorAccessDenied : Access to OData is disabled while reading messages from Office 365 group mailbox.
Request URL: https://graph.microsoft.com/v1.0/groups/<groupId>/threads/<conversationThreadId>/posts
Request Method: GET
Status Code: 403 Forbidden
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access to OData is disabled.",
"innerError": {
"request-id": "b4bbe2f4-81d1-46cb-8fee-d79d02257e64",
"date": "2019-05-30T05:39:21"
}
}
}
Solution
After exploring some time, I found that the exchange mailbox and calendar-related Graph API end-points are internally using EWS (Exchange Web Service) to fetch and update data in the mailbox and calendar. You may receive this error message either if the EWS access is disabled for all client applications or if EWS access is allowed only for particular applications.
You can check your current tenant EWS access policy by using the Exchange Online Powershell cmdlet Get-OrganizationConfig. First, connect EXO Powershell module and run the below command:
Get-OrganizationConfig | select EwsApplicationAccessPolicy, EwsAllowList, EwsBlockList
If you find any entries either for Allow access policy or Block access policy, then this might be the root cause for this error. If allow policy configured, then ensure that your client application is included for EWS access, or if block policy configured, then ensure that your client app is not included in the block list.
Run the below command to remove the applied EWS access policy.
Set-OrganizationConfig -EwsApplicationAccessPolicy $null
You can refer below articles to know more about how to configure EWS access.
Hello, if you run the command
Set-OrganizationConfig -EwsApplicationAccessPolicy $null
this will most likely break your other EWS Allow Access Policy.
You will also need to include your other EWS Allow Access entries.