Connect-MgGraph app-only authentication - Access is denied errors

[SPNass]

Hi Gents,

I'm trying to use the Graph SDK to manage organization contacts for internal employees via a runbook.
I see from the MS documentation that app-only authentication is supported:
https://learn.microsoft.com/en-us/powershell/microsoftgraph/app-only?view=graph-powershell-1.0&tabs=powershell

Therefore, I’m connecting as follows:

$Connection = Get-AutomationConnection -Name “AzureRunAsConnectionGraph”
Connect-MgGraph -ClientID $Connection.ApplicationId -TenantId $Connection.TenantId -CertificateThumbprint $Connection.CertificateThumbprint
$context = Get-MgContext
$context.Scopes

Here is the output:

Welcome To Microsoft Graph!
TeamMember.Read.All
User.ReadWrite.All
Group.Read.All
Directory.Read.All
GroupMember.Read.All
Team.ReadBasic.All
MailboxSettings.Read
Contacts.ReadWrite
Mail.Send
MailboxSettings.ReadWrite
Contacts.Read

Despite using the app-only authentication and having "Contacts.ReadWrite" permission, I’m getting "access is denied" errors on all below commands:

• Get-MgUserContactFolder
  -$folderStaffDirectory = Get-MgUserContactFolder -UserId $Mbx.UserPrincipalName | Where-Object {$_.DisplayName -eq $folderName}
• New-MgUserContactFolder
  New-MgUserContactFolderContact -UserId $Mbx.UserPrincipalName -BodyParameter $params -ContactFolderId $folderStaffDirectory.Id -DisplayName $Contact.DisplayName -CompanyName $Contact.CompanyName -Department $Contact.Department -JobTitle $Contact.JobTitle -PersonalNotes $OrgNotes -MobilePhone $Contact.Mobile
• Get-MgUserContactFolderContact
  [array]$ContactsInMbx = Get-MgUserContactFolderContact -UserId $Mbx.UserPrincipalName -ContactFolderId $folderStaffDirectory.Id -All
• New-MgUserContactFolderContact
  $folderStaffDirectory = New-MgUserContactFolder -UserId $Mbx.UserPrincipalName -BodyParameter $paramsFolder

Error example:
Get-MgUserContactFolder : Access is denied. Check credentials and try again. At line:91 char:2 + $folderStaffDirectory = Get-MgUserContactFolder -UserId $Mbx.User ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: ({ UserId = conf..., Property = }:<>f__AnonymousType317) [Get-MgUserContactFolder_List1], RestException1 + FullyQualifiedErrorId : ErrorAccessDenied,Microsoft.Graph.PowerShell.Cmdlets.GetMgUserContactFolder_List1

Is there anything wrong ?
Please feel free whether you need more details.

Thanks in advance.
Cheers,
Patrick

[peombwa]

Thanks for following up on this.

Please open a question/ticket at https://developer.microsoft.com/en-us/graph/support for assistance around permissions and API related issues. Permission validation is handled by the API and not the module.

You should also include the request-id and date response headers of the failing request in the question/ticket you open at https://developer.microsoft.com/en-us/graph/support. See https://learn.microsoft.com/en-us/powershell/microsoftgraph/troubleshooting?view=graph-powershell-1.0#using--debug for details on how to access the headers.