MS Graph API: invalid authentication token

I'm trying to use the Microsoft Graph API to query an Outlook/O365 mailbox for messages. I registered my app in the Azure portal and received the necessary information to query the API. The app has the Mail.Read permission. (I don't have access to the Azure portal, I was told it was set up this way.) When I get my token from the OAuth endpoint, however, it doesn't work in any subsequent calls. I'm using Python's requests module for testing right now.

Why is this call failing? It seems like I'm passing all of the correct information but I'm clearly missing something.

I'm getting the token by performing a POST on:

https://login.microsoftonline.com/my.domain/oauth2/token

I pass the necessary parameters:

data = {'grant_type': 'client_credentials', 'client_id': CLIENTID, 'client_secret': SECRET, 'resource': APPURI}

and I get a response like this:

{
    'resource': 'APPURI',
    'expires_in': '3599',
    'ext_expires_in': '3600',
    'access_token': 'TOKENHERE',
    'expires_on': '1466179206',
    'not_before': '1466175306',
    'token_type': 'Bearer'
}

I try to use that token, however, and it doesn't work for anything I call. I'm passing it as a header:

h = {'Authorization': 'Bearer ' + TOKEN}

I'm calling this URL:

url = 'https://graph.microsoft.com/v1.0/users/[email protected]/messages'

Specifically, I use this:

r = requests.get(url, headers=h)

The response is a 401:

{
    'error': {
        'innerError': {
            'date': '2016-06-17T15:06:30',
            'request-id': '[I assume this should be removed for privacy]'
         },
         'code': 'InvalidAuthenticationToken',
         'message': 'Access token validation failure.'
     }
}