query("SELECT tenant_id, client_id, client_secret, permissions FROM admin.graph_tenants WHERE status='active' LIMIT 1")->fetch(PDO::FETCH_ASSOC); if ($_GET['action'] ?? '' === 'verify') { header('Content-Type: application/json'); $ch = curl_init("https://login.microsoftonline.com/{$t['tenant_id']}/oauth2/v2.0/token"); curl_setopt_array($ch,[CURLOPT_POST=>true,CURLOPT_RETURNTRANSFER=>true,CURLOPT_TIMEOUT=>15, CURLOPT_POSTFIELDS=>http_build_query(['grant_type'=>'client_credentials','client_id'=>$t['client_id'],'client_secret'=>$t['client_secret'],'scope'=>'https://graph.microsoft.com/.default'])]); $tok = json_decode(curl_exec($ch),true)['access_token'] ?? null; curl_close($ch); if (!$tok) { echo json_encode(['error'=>'no token']); exit; } $parts = explode('.', $tok); $payload = json_decode(base64_decode($parts[1]), true); $roles = $payload['roles'] ?? []; $hasMail = in_array('Mail.Read', $roles) || in_array('Mail.ReadWrite', $roles); if ($hasMail) { $pdo->prepare("UPDATE admin.graph_tenants SET permissions=? WHERE tenant_id=?")->execute(['Mail.Send,Mail.ReadWrite', $t['tenant_id']]); $pdo->exec("UPDATE admin.graph_accounts SET can_read=true WHERE tenant_domain='mbman.onmicrosoft.com'"); } echo json_encode(['roles'=>$roles, 'has_mail_read'=>$hasMail, 'total_roles'=>count($roles)]); exit; } $consentUrl = "https://login.microsoftonline.com/{$t['tenant_id']}/adminconsent?client_id={$t['client_id']}&redirect_uri=" . urlencode("https://login.microsoftonline.com/common/oauth2/nativeclient"); ?> Brain Graph Admin Consent

🧠 Brain Graph API

Admin Consent — Mail.ReadWrite

L'app mbman a Mail.Send mais manque Mail.Read.
Clique le bouton pour autoriser la lecture des mailboxes.

🔐 Autoriser Mail.ReadWrite

AprÚs avoir cliqué "Accept" chez Microsoft, reviens ici et clique Vérifier.