My desktop application needs to download mail from an office 365. I am trying to connect to the server using the code (VBS) from the documentation (protocol - MailServerEWS, authorization type - MailServerAuthXOAUTH2) by userEmail and accessToken. The server returns a 403 Server Error. Access and roles office 365 are administered by the client. AccessToken obtained using tenantid and client_secret has the following structure
{
"aud": "https://outlook.office365.com",
"iss": "https://sts.windows.net/********-****-****-****-************/",
"iat": 1692274954,
"nbf": 1692274954,
"exp": 1692278854,
"aio": "E2FgYGA++CiFYa2MdXr8ed6wtUaXAQ==",
"app_displayname": "Application Name
"appid": "********-****-****-****-************",
"appidacr": "1",
"idp": "https://sts.windows.net/********-****-****-****-************/",
"oid": "********-****-****-*****************",
"rh": "*.******_*************-******************************.",
"roles": [
"POP.AccessAsApp",
"IMAP.AccessAsApp",
"SMTP.SendAsApp"
],
"sid": "********-****-****-****-************",
"sub": "********-****-****-****-************",
"tid": "********-****-****-****-************",
"uti": "**********************",
"ver": "1.0",
"wids": [
"********-****-****-****-************"
]
}
What settings should be set by the administrator in office 365 for access via the EWS protocol? What besides office 365 settings can affect access to the server?

Hi, to use EWS protocol,

You need to assign full_access_as_app:

https://www.emailarchitect.net/eagetmail/ex/b/24.aspx#add-full-access-app-permission 

and I suggest that you use Graph API instead of EWS protocol, because MS has announced that EWS will no longer be updated, and Graph API is strongly recommended.

https://www.emailarchitect.net/eagetmail/ex/b/24.aspx#graph-api-permission