We have an application on Azure, which we already managed to read through the user's email after a lot of work and frustration.
For testing purposes, I gave the application almost full access (see image) 
below), including but not limited to sending email on behalf of users, reading email of users, etc. I know that we do not need to provide the application such access if necessary, but this is just to send the work by email.
I have this curl code for testing purposes to send email
curl -i https://graph.microsoft.com/v1.0/me/sendmail -H 'Content-Type: application/json' -X POST -d '{"Message":{"Subject": hi", "Body": {"ContentType": "Text", "Content": "body"},"ToRecipients":[{"EmailAddress": {"Address": " alerts-noreply@mail.windowsazure.com "}}]},"SaveToSentItems": "true"}' -H 'Authorization: Bearer eyJ......TOKEN.....YlhaHbAFQ'
and he gave me this error
{ "error": { "code": "ErrorAccessDenied", "message": "Access is denied. Check credentials and try again.", "innerError": { "request-id": "4895f98f-c5a4-4083-867b-f6c7b4634b7f", "date": "2017-01-24T21:48:47" } } }
If the application has such full access, why the application will be rejected?
The token was purchased with the following code:
https://login.microsoftonline.com/f0263....0be3/oauth2/authorize?client_id=8a676..e4b6&redirect_uri=http://www.wrabc.com:8090/&response_type=code.
I use your help.