Standard Users Cannot Access Microsoft Graph Mail.Read Despite Admin Consent. But admin can !

Question

Standard Users Cannot Access Microsoft Graph Mail.Read Despite Admin Consent. But admin can !

Wacime Yousfi 20

Details: I have an internal Azure AD application (rag-outlook) that uses Delegated permissions to access user emails via Microsoft Graph.

Setup:

App is registered in our tenant (EnerVivo)
Delegated permissions granted: Mail.Read, User.Read, offline_access
Admin consent has been granted at the tenant level
Users are assigned in Enterprise Applications → rag-outlook → Users and Groups
OAuth flow: Authorization Code Flow (delegated)
API calls use: GET https://graph.microsoft.com/v1.0/me/messages
Standard users have Microsoft 365 Business Standard licenses with Exchange Online enabled
No Conditional Access policies are in place

Problem:

Global administrators can successfully read their emails
Standard users authenticate successfully but cannot fetch emails
They see the “This app requires your admin’s approval” prompt, even after admin consent
Access tokens include scp with delegated scopes
Endpoint is correct (/me/messages)

Question:

Has anyone experienced a similar issue where only admins can access mail via delegated Graph permissions?

Are there tenant-level settings, Exchange mailbox properties, or other restrictions that can prevent standard users from using delegated Mail.Read despite correct OAuth flow and admin consent?

VEMULA SRISAI 11,325 Reputation points Microsoft External Staff Moderator

2026-03-03T19:00:56.9033333+00:00

Hello Wacime Yousfi,

This behavior is usually caused by tenant‑level user consent restrictions, not by Microsoft Graph or Exchange.

Even though Mail.Read (delegated) is granted and admin consent is completed, if user consent is disabled or restricted in the tenant, standard users will still see the “This app requires your admin’s approval” prompt. Global admins can bypass this, which explains why it works only for them.

Please check Entra ID → Enterprise applications → Consent and permissions → User consent settings and ensure the app is explicitly allowed for users, or that user consent is enabled. Mailbox properties and Exchange application access policies do not affect delegated /me/messages access.

Once the app is approved at the tenant level for user sign‑in, standard users should be able to read mail without issues.
Wacime Yousfi 20 Reputation points

2026-03-04T18:28:48.6+00:00

Hello VEMULA SRISAI,

Thank you for your response.

I have already reviewed the tenant-level consent configuration in Entra ID → Enterprise Applications → Consent and permissions → User consent settings.

The current setting is:

Allow user consent for apps from verified publishers, for selected permissions All users can consent for permissions classified as "low impact", for apps from verified publishers or apps registered in this organization.

The application is registered in our organization, and admin consent for Microsoft Graph permissions (including Mail.Read delegated) has already been granted at the tenant level.

Despite this configuration, standard users still receive the “Need admin approval” prompt, while global admins can sign in without issue.

Given this, it seems the issue may not be directly related to the user consent policy. Is there another tenant-level restriction or configuration that could cause this behavior?

Thank you for your guidance.

Answer accepted by question author

0 additional answers

Your answer

VEMULA SRISAI 11,325 Reputation points Microsoft External Staff Moderator

2026-03-03T19:00:56.9033333+00:00

Hello Wacime Yousfi,

This behavior is usually caused by tenant‑level user consent restrictions, not by Microsoft Graph or Exchange.

Even though Mail.Read (delegated) is granted and admin consent is completed, if user consent is disabled or restricted in the tenant, standard users will still see the “This app requires your admin’s approval” prompt. Global admins can bypass this, which explains why it works only for them.

Please check Entra ID → Enterprise applications → Consent and permissions → User consent settings and ensure the app is explicitly allowed for users, or that user consent is enabled. Mailbox properties and Exchange application access policies do not affect delegated /me/messages access.

Once the app is approved at the tenant level for user sign‑in, standard users should be able to read mail without issues.
Wacime Yousfi 20 Reputation points

2026-03-04T18:28:48.6+00:00

Hello VEMULA SRISAI,

Thank you for your response.

I have already reviewed the tenant-level consent configuration in Entra ID → Enterprise Applications → Consent and permissions → User consent settings.

The current setting is:

Allow user consent for apps from verified publishers, for selected permissions All users can consent for permissions classified as "low impact", for apps from verified publishers or apps registered in this organization.

The application is registered in our organization, and admin consent for Microsoft Graph permissions (including Mail.Read delegated) has already been granted at the tenant level.

Despite this configuration, standard users still receive the “Need admin approval” prompt, while global admins can sign in without issue.

Given this, it seems the issue may not be directly related to the user consent policy. Is there another tenant-level restriction or configuration that could cause this behavior?

Thank you for your guidance.

Answer 1

VEMULA SRISAI 11,325 Microsoft External Staff Moderator

Wacime Yousfi Thanks for confirming the consent settings.

In this scenario, the issue is not Exchange or Microsoft Graph, but an Entra ID application control. When “User assignment required” is enabled on the Enterprise Application, Entra ID enforces admin‑only consent, even if tenant‑wide admin consent is already granted. Global admins can bypass this, which explains why it works only for them.

Please check Enterprise Applications → rag‑outlook → Properties and ensure User assignment required = No. Also confirm your OAuth request does not force prompt=consent, as that can re‑trigger admin approval for standard users.

Once these are corrected, standard users should be able to access /me/messages with delegated Mail.Read without seeing the admin approval prompt.

Wacime Yousfi 20 Reputation points

2026-03-05T15:28:03.7166667+00:00

Hello VEMULA SRISAI,

Thank you very much for your help.

You were absolutely right to mention the prompt=consent parameter. After reviewing the OAuth request, I discovered that it was indeed included in the authorization URL. Removing it resolved the issue immediately, and standard users can now sign in and access their mailbox without receiving the “Need admin approval” prompt.

I really appreciate your guidance and the time you took to help investigate this <3.
VEMULA SRISAI 11,325 Reputation points Microsoft External Staff Moderator

2026-03-05T15:34:02.23+00:00

Wacime Yousfi Thank you for Informing, If the resolution was helpful, kindly take a moment to click on and click on Yes for was this answer helpful. And, if you have any further query do let us know

Share via

Standard Users Cannot Access Microsoft Graph Mail.Read Despite Admin Consent. But admin can !

0 additional answers

Your answer