How I Finally Got Microsoft Graph Email Integration Working with NestJS and Microsoft 365

I created a new application and configured a redirect URI:

http://localhost:3000/mail/outlook/callback

The application generated:

• Client ID
• Tenant ID

Next, I created a Client Secret from:

Certificates & Secrets
→ New Client Secret

These values were added to the NestJS environment configuration:

AZURE_CLIENT_ID=...
AZURE_CLIENT_SECRET=...
AZURE_TENANT_ID=...
AZURE_REDIRECT_URI=http://localhost:3000/mail/outlook/callback

Step 2: Configure Microsoft Graph Permissions

Under:

API Permissions
→ Microsoft Graph
→ Delegated Permissions

I added:

openid
profile
offline_access

User.Read

Mail.Read
Mail.ReadWrite
Mail.Send

After adding permissions, I granted admin consent.

This step is critical because OAuth may succeed even when mailbox permissions are missing.

Step 3: Implement OAuth Flow in NestJS

The application exposed two endpoints:

GET /mail/outlook/connect
GET /mail/outlook/callback

The connect endpoint redirected users to Microsoft Login.

After successful authentication, Microsoft redirected back to:

/mail/outlook/callback

where the authorization code was exchanged for:

• Access Token
• Refresh Token

Step 4: First Success — User Profile API

The first Graph API test was:

GET https://graph.microsoft.com/v1.0/me

This worked immediately.

The API returned:

{
  "displayName": "Hardik Kanjariya"
}

At this point I assumed everything was configured correctly.

I was wrong.

Step 5: Mailbox APIs Started Failing

The next API call was:

GET https://graph.microsoft.com/v1.0/me/messages

Instead of returning emails, Graph responded with:

401 Unauthorized

Even sending emails failed:

POST https://graph.microsoft.com/v1.0/me/sendMail

The strange part was:

• OAuth worked
• User profile worked
• Mail APIs failed

Step 6: Verify the Access Token

I decoded the access token using JWT inspection tools and checked the scp claim.

The token contained:

Mail.Read
Mail.ReadWrite
Mail.Send
User.Read
profile
openid

This confirmed:

• Permissions were correct
• OAuth scopes were correct
• The token was issued for Microsoft Graph

The issue was somewhere else.

Step 7: Discovering the Real Problem

Initially I was using a personal Outlook account.

Although authentication succeeded, mailbox-related operations behaved inconsistently.

To eliminate consumer-account edge cases, I created a Microsoft 365 Business Basic subscription.

Microsoft automatically provisioned:

[email protected]

This gave me:

• Microsoft Entra ID
• Exchange Online
• Microsoft Graph
• A real business mailbox

All within the same tenant.

Step 8: Create a Fresh App Registration

Instead of continuing to debug the original application registration, I created a brand-new App Registration inside the Microsoft 365 tenant.

Configuration:

Single Tenant

Redirect URI:

http://localhost:3000/mail/outlook/callback

Permissions:

User.Read
Mail.Read
Mail.ReadWrite
Mail.Send
offline_access
profile
openid

Then I granted admin consent.

Step 9: Test Everything Again

After updating the environment variables:

AZURE_CLIENT_ID=...
AZURE_CLIENT_SECRET=...
AZURE_TENANT_ID=...

I authenticated using:

[email protected]

This time:

GET /me

worked.

GET /me/messages

worked.

POST /me/sendMail

worked.

The integration was finally complete.

Step 10: Prototype Optimization

Since this was a prototype project, I intentionally avoided unnecessary complexity.

Instead of storing OAuth tokens in a database:

PostgreSQL
Token Tables
User Mapping

I used a simpler approach:

Refresh Token
↓
Store in .env
↓
Generate Access Tokens Automatically

Benefits:

• Faster development
• Easier debugging
• No database dependency
• Perfect for local prototypes

For production applications, token storage should be handled securely in a database or dedicated secrets manager.

Lessons Learned

The biggest lessons from this implementation were:

1. OAuth success does not guarantee mailbox access.
2. Always inspect the token scopes.
3. Use a proper Microsoft 365 business mailbox when testing Graph email APIs.
4. Grant admin consent after adding permissions.
5. Verify redirect URIs carefully.
6. For prototypes, keep token management simple.
7. When debugging Graph, test /me before testing mailbox endpoints.

Final Thoughts

Microsoft Graph is incredibly powerful once configured correctly. The challenge is usually not the API itself, but understanding how Azure App Registrations, OAuth permissions, Entra ID, and Exchange Online work together.

Once the tenant, mailbox, permissions, and OAuth flow are aligned, reading emails, sending messages, syncing folders, and building custom email clients becomes surprisingly straightforward.

If you're building a NestJS application that integrates with Outlook or Microsoft 365, start with a dedicated business mailbox, keep the initial architecture simple, and verify each step independently before introducing additional complexity.