I agree with @Prasad-MSFT, this restriction is to uphold a strong security boundary between tenants, preventing unauthorized access to another tenant’s data without explicit permission.

• This approach follows the principle of least privilege, helping to safeguard against data leaks and unauthorized access.

• While the getAllMessages endpoint is a paid API, it enables retrieval of messages across tenant boundaries. Its use must always adhere to organization’s privacy and compliance requirements.

Hence you need to make use of getAllMessages endpoint only and this API always comply with organization’s privacy and compliance policies.

GET https://graph.microsoft.com/v1.0/users/UserID/chats/getAllMessages

This API is not a security loophole — it’s approved officially.