1

We have an implementation of the Microsoft Graph API that uses the authorization code grant. We need it to be able to access all calendars of the tenant, so we added Calendars.ReadWrite to the scope (Calendars.ReadWrite.all does not exist). So far, it has only been possible to access one user's calendars with it (whatever account was used to grant access to the application). This is contrary to what the documentation states, or at least how I interpreted it in lieu of an explicit all permission, and due to the fact that the documentation does not say "signed in user" as it does for other permissions.

It seems that Calendars.ReadWrite does not even grant access to shared calendars (even when using the tenant admin during OAuth). Although there's a separate scope for that, I would expect this to preclude that scope, just like User.ReadWrite precludes User.Read. Also, I don't want to require users to share their calendar. It should just work.

I've seen it working with the "client credentials" grant, but the application also requires the "authorization code" grant, since apparently the subscriptions feature doesn't work as expected with the other flow. I would like to prevent having to require 2 different flows, which would honestly be really stupid. Is this possible?

aross
  • 3,325
  • 3
  • 34
  • 42
  • Please check this [public document](https://learn.microsoft.com/en-us/graph/outlook-get-shared-events-calendars) and then give a try. Yes, Client credential flow(Application permissions) will get all calendars but if you use Delegated permissions make sure the calendar is shared. Please read this [document](https://learn.microsoft.com/en-us/graph/api/user-list-messages?view=graph-rest-1.0&tabs=http) – Shiva Keshav Varma Nov 24 '20 at 17:02

1 Answers1

1

What MS Graph API can do should be consistent with what we can do through web UI or Outlook.

If a calendar is not shared with you, you should not be able to see it unless your account has access to it, for example, it is the calendar of a group which you are a member of.

So by using “authorization_code” grant, you have to make this calendar share with the account you are currently logged into. And you need to add Calendars.ReadWrite.Shared delegated permissions to your AAD application.

You can find the differences between the delegated permission and application permission.

enter image description here

The docs which is shared by @Shiva has listed the full steps about how to get the shared or delegated Outlook calendar and its events.

Allen Wu
  • 15,529
  • 1
  • 9
  • 20
  • Thanks for answering, but you missed a crucial bit of my question: We need it to be able to access ***all*** calendars of the tenant (not just shared ones) – aross Nov 25 '20 at 08:56
  • Basically your answer only describes what I already know. – aross Nov 25 '20 at 08:57
  • @aross You need to give the Full Access mailbox delegation of all mailboxes to delegated account (which you use to sign in) in Exchange Admin Center: https://learn.microsoft.com/en-us/Exchange/recipients/mailbox-permissions?view=exchserver-2019#use-the-eac-to-assign-permissions-to-individual-mailboxes – Allen Wu Nov 25 '20 at 08:59
  • @aross Please see this answer: https://stackoverflow.com/questions/59153936/ms-graph-api-calendarview-403-accessdenied-error?answertab=votes#tab-top. – Allen Wu Nov 25 '20 at 09:01
  • Can I do that once or does delegation have to be setup for every user that is added subsequently? – aross Nov 25 '20 at 09:30
  • @aross I'm afraid that you have to setup for every user that is added subsequently. – Allen Wu Nov 25 '20 at 09:31
  • So if I understand correctly, the documentation should say `Allows the app to read events in calendars of the signed-in user.`, as it does elsewhere for permissions that are intended to grant access to the signed-in user's data exclusively? I would say this is definitely very confusing. The "all" permission in application context is the same one: `Calendars.ReadWrite`, not `Calendars.ReadWrite.All` – aross Nov 25 '20 at 11:10
  • @aross I agree with you, maybe `Allows the app to read events in calendars of the signed-in user` will be more clear. You understanding is right. If my answer is helpful, you can mark it as accepted. Thank you. – Allen Wu Nov 26 '20 at 02:01