2

I have a demo integration running from ServiceNow to Office 365, everything was working fine last time I checked (it was a couple days ago). I have set it up in two ways (using two Auth flows):

  1. Authorization Code - this still works fine.

  2. Client Credentials - this is giving me an error now when I try to access any calendar. The App is registered, the permissions are there:

When trying to run the getSchedule API, I get the below response:

"error": {
    "code": "ErrorAccessDenied",
    "message": "Access to OData is disabled.",
    "innerError": {
      "request-id": "e14a6800-ed63-4692-9934-cc0ec009d93b",
      "date": "2020-03-16T14:43:34"
    }
}

I checked everywhere I could. The Access token is generated. It is definitely something to do with the Graph API for the calendar.

TylerH
  • 20,799
  • 66
  • 75
  • 101
TomaszS
  • 153
  • 1
  • 1
  • 6

1 Answers1

2

The problem was with the Application Access Policy.

Basically, if you use Application Permissions within OAuth for Microsoft 365, you can further narrow down the permissions using the below instructions: https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access

Microsoft Graph application permissions (you may not need all of them):

  • Mail.Read
  • Mail.ReadBasic
  • Mail.ReadBasic.All
  • Mail.ReadWrite
  • Mail.Send
  • MailboxSettings.Read
  • MailboxSettings.ReadWrite
  • Calendars.Read
  • Calendars.ReadWrite
  • Contacts.Read
  • Contacts.ReadWrite

For more information about configuring application access policy, see the PowerShell cmdlet reference for New-ApplicationAccessPolicy.

Handling API errors

You might encounter the following error when an API call is denied access due to a configured application access policy.

{
"error": {
    "code": "ErrorAccessDenied",
    "message": "Access to OData is disabled.",
    "innerError": {
        "request-id": "<request GUID is here>",
        "date": "<UTC date format here>"
    }
}

If the Microsoft Graph API calls from your app return this error, work with the Exchange Online administrator for the organization to ensure that your app has permission to access the mailbox resource.

It appears in our case one of the policies was not removed/updated properly. After we removed all policies related to this integration, it started working again.

TylerH
  • 20,799
  • 66
  • 75
  • 101
TomaszS
  • 153
  • 1
  • 1
  • 6