Hi Quick Community,
I am creating an App in Amazon QuickSuite that will help to translate email escalations into a standard template and track these escalations before my team uses the various intake processes of internal teams to escalate these issues.
I plan to add the shared mailbox email address as watcher to these tickets / or let the App fetch the ticket information directly via URL to update the escalations from incoming emails and internal tickets.
When using my own email account this is working fine.
To reduce dependency, I want to use a shared mailbox smb@amazon.com (ANT Group: myteamsmb) instead.
When I try to fetch the emails, the error emssage in the AI is:
“The action call to SearchEmails with user_id “smb@amazon.com” returns a 403 (AUTHORIZATION_ERROR): the connected user doesn’t have permission to access that mailbox. Fix by changing user_id to “me” to access the authenticated user’s own mailbox, or ensure the connected account has delegated/application permissions (Mail.Read.All) for that shared mailbox.”
I have granted users all permissions for the shared mailbox.
Is there anything that I have to change or specific permissions that have to be granted for this Shared Mailbox in order to be the source for the App?
Best regards,
Robert
Hi @korell and welcome to the community!
The 403 error you’re seeing means the OAuth connection Quick uses to access Outlook doesn’t have permission to read the shared mailbox, it only has access to your personal mailbox by default.
Even though you’ve granted permissions on the shared mailbox itself, the Microsoft Graph API also needs the Mail.Read.Shared scope to be consented in Azure AD. Without it, any request to a mailbox other than your own will be rejected. Here’s what I would recommend, first confirm your user account has “Full Access” to the shared mailbox in the Exchange Admin Center, not just through a group, but explicitly assigned to your account. Then ask your Azure AD / IT admin to verify the enterprise app registration used by Quick has the Mail.Read.Shared scope consented. This is what I’d assume is the missing piece.
Alternatively, if want to try a quick workaround, you could try setting up an auto-forward rule on the shared mailbox to send relevant emails to your personal inbox, so your app can continue working while proper delegated access is configured.
Let us know how it goes!
Hi @korell,
Just checking back in since this thread hasn’t received a response in a while. Was Cesar’s reply helpful to you and/or were you able to find a solution yourself in the meantime? Please help the community by marking this answer as “Solution” or following up in general within the next 3 business days!
Thank you!
Hi @korell,
Since I haven’t received any further updates from you, I’ll treat this inquiry as complete for now. If you have any additional questions, feel free to create a new post in the community and link this discussion for context.
Thank you!