0

First, I'm using Spring, Jetty, Retrofit.

When I use calendarView in local, they return the successful values successfully.

But, When others connect to my local server and call this api, it always returns me 403-AccessDenied error. (additionally, When they call another ms api, they return the successful values.)

I think I have set all the recommended permissions in Graph api. But this could be my illusion.

In order for someone else to call api from my local server, what should I do?

Or Am I missing anything on this matter?

These are my permissions.

"openid",
"offline_access",
"profile",
"User.ReadWrite",
"Mail.ReadWrite",
"Calendars.ReadWrite",
"User.ReadBasic.All",
"BookingsAppointment.ReadWrite.All"

This is my azure info.

Image of permission

And I'm using this calendar view api

https://learn.microsoft.com/en-us/graph/api/calendar-list-calendarview?view=graph-rest-1.0&tabs=http

And Using This URL in my code(in this case, I'm using batch request)

GET | "/users/"+getAddress()+"/calendarView?startDateTime="+getStartTime()+"&endDateTime="+getEndTime()
jimas13
  • 597
  • 5
  • 19
SK J
  • 19
  • 5
  • For "others", does it mean other users in the same Azure AD tenant as you? And what do you mean by "others connect to my local server"? You are trying to access O365 data. It doesn't matter where you call the API. – Allen Wu Dec 03 '19 at 09:36
  • I apologize for my insufficient explanation. I'm testing this in local using Jetty. (ig. https://IP-address:8443/projectName) And I'm testing api calls by having people on the same wifi to my local (with ipv4). also, they use the same app that I registered for Azure AD. – SK J Dec 03 '19 at 23:53
  • Do they need to sign into your app with their credentials? And whose calendarView are they trying to access? – Allen Wu Dec 04 '19 at 03:13
  • Yes, they are using their credentials in my app. When they sign in, My app receives access to their account. For CalendarView, I use this to find the availability of each floor. So, I call api as below. No1. /beta/me/findRoomLists No2. /beta/me/findRooms(RoomList='{RoomList}') -> (based on No.1) No3. /v1.0/users/{Room}/calendar/calendarView -> (based on No.2) I normally get data from No.1 to No.3. but, People who use the same network receive data normally, No.1 and No.2 However, problems arise in No.3. – SK J Dec 04 '19 at 03:38
  • So when you normally get data from No.1 to No.3, you are using the credentials of the user "{Room}". Is that right? – Allen Wu Dec 04 '19 at 04:29

1 Answers1

0

Based on your description, other users are trying to access the calendarView of the user "{Room}".

In this case, you need 2 more configurations.

  1. User "{Room}" gives mailbox permissions "Full Access" to other users in Office 365. See Use the EAC to assign permissions to individual mailboxes. (you should be able to find the room under Resources. And the process can take up to hours for the changes to propagate through the system and be in effect.)
  2. Add one more delegated permission: Calendars.ReadWrite.Shared into the app registed in Azure AD.
Allen Wu
  • 15,529
  • 1
  • 9
  • 20
  • Thank you very much. I set this up and it worked perfectly! :) But, People are requesting apis from their respective accounts, and it's still a question why this didn't work. Was there anything I was mistaken about? – SK J Dec 04 '19 at 09:38
  • This API with Delegated permission (require user credentials) should work only for accessing the data of the signed in users. That is, they can only access their own data. If you are using Application permissions (without user credentials), everyone who is using your app can access the data. So what we can do to bypass it is giving full access to other users and assign Calendars.ReadWrite.Shared delegated permission, which means the delegated users can open the mailbox of User "{Room}" and do anything except send messages (including access its data). – Allen Wu Dec 04 '19 at 09:50
  • I see, Thank you for your specific explanation! – SK J Dec 04 '19 at 23:54