I'm able to connect if I do this:

Connect-MgGraph -AccessToken $token 
Remove-MgUserMessage -UserId $email -MessageId $item.id 

but I'm getting unauthorized errors when trying to delete an email.

I tried this as well:

Connect-MgGraph -AccessToken $token -Scopes "User.ReadWrite.All"
Remove-MgUserMessage -UserId $email -MessageId $item.id 

But then I get this error:

Connect-MgGraph : Parameter set cannot be resolved using the specified named parameters.
At D:\Scripts\GraphAPITest2.ps1:159 char:1
  Connect-MgGraph -AccessToken $token -Scopes "User.ReadWrite.All"
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      CategoryInfo          : InvalidArgument: (:) [Connect-MgGraph], ParentContainsErrorRecordException
      FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.Graph.PowerShell.Authentication.Cmdlets.ConnectMgGraph

Is not allowed to combine the -AccessToken and the -Scopes parameter? I've been told that I've been given Mail.ReadWrite and ServiceMessageViewpoint.Write privileges.

When using a token, is it supposed to get all the scopes from the token? Or do you still have to tell the PowerShell program that your intent is to do an delete or update, and not just a read?

I've also posted this question about "Variants", but no reply yet: What are "variants" in Azure permissions

CodePudding user response：

If you connect by using a AccessToken there is no need to specify the scopes, as those are already defined in the token. After you did establish a connection you can verify which permissions the current session has with:

(get-mgcontext).Scopes

Once you authenticate to get the accessToken in the first step ensure that you have:

Scope         = 'https://graph.microsoft.com/.default'

in the body to automatically claim all permissions available to that identity.