-1

You can see in the request URL that it's addressing the URL of Office 365 https://outlook.office365.com/api/v1.0/users/{user-email}/calendarview

Request:

GET /api/v1.0/users/testuser@testapp.onmicrosoft.com/calendarview HTTP/1.1
Host: outlook.office365.com
User-Agent: myappagent/1.0
Authorization: Bearer eyJ**********
Accept: application/json
Prefer: outlook.timezone=Europe/London

Response:

HTTP/1.1 403 Forbidden
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8
Server: Microsoft-IIS/10.0
request-id: d5ae24e8-0c34-43b5-a8a3
X-CalculatedFETarget: *******.internal.outlook.com
X-BackEndHttpStatus: 403
X-FEProxyInfo: *********.PROD.OUTLOOK.COM
X-CalculatedBETarget: *********.prod.outlook.com
X-BackEndHttpStatus: 403
X-RUM-Validated: 1
X-BeSku: WCS6
x-ms-appId: ********
OData-Version: 4.0
X-AspNet-Version: 4.0.30319
X-DiagInfo: ********
X-BEServer: ********
X-Proxy-RoutingCorrectness: 1
X-Proxy-BackendServerStatus: 403
X-FEServer: ********
X-Powered-By: ASP.NET
X-FEServer: ********
Date: Fri, 18 Jun 2021 20:22:02 GMT

{
    "error":{
        "code":"ErrorAccessDenied",
        "message":"Access to OData is disabled."
    }
}

I have came across this article: https://learn.microsoft.com/en-us/archive/blogs/wushuai/how-to-fix-access-to-odata-is-disabled-when-calling-graph-api

But I don't think it applies since I'm using the Office 365 Calendar API.

When I checked my access policy, it's empty. Which I'm assuming means there's no restrictions, and therefore my app shouldn't have any problem.

enter image description here

And these are the permissions of the app (I added Graph API calendar just in case, but still same 403 response)

enter image description here

TylerH
  • 20,799
  • 66
  • 75
  • 101
Aproram
  • 348
  • 1
  • 3
  • 16
  • You could elaborate why you need the old api instead of the new (better) one, since all answers will talk about this. – Stephan Jun 19 '21 at 21:33
  • 1
    The v1 Outlook endpoint was fully deprecated on the 30th April https://developer.microsoft.com/en-us/microsoft-365/blogs/outlook-rest-api-v1-0-deprecation-update/ so it will no longer return anything. – Glen Scales Jun 21 '21 at 23:27
  • @Stephan For compatibility reasons with the app I'm working on, it's still using outlook.office365 API. The app works well with other tenants that created a similar app with the same permissions. But for this odd tenant, things don't get to work as explained.. – Aproram Jun 23 '21 at 00:51
  • @GlenScales thanks for the refernce, I understand that it's deprecated. But on other tenants. A similar app with similar permissions is still working without any problem. Why this odd tenant is responding with such an irrelevant (EwsApplicationAccessPolicy) when I'm not using (Graph API) ? – Aproram Jun 23 '21 at 00:54
  • 1
    Most likely is like basic auth https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-june-2021-update/ba-p/2454827 they look at usage patterns and disable first in tenants that aren't using the API first while giving time to those that do. At the end of the day you need to stop using that endpoint. – Glen Scales Jun 23 '21 at 04:11
  • The Outlook API is part of the Graph API now. – TylerH Sep 30 '21 at 20:48
  • 1
    Does this answer your question? ["Access to OData is disabled" error when making a Graph API call to a calendar](https://stackoverflow.com/questions/60708365/access-to-odata-is-disabled-error-when-making-a-graph-api-call-to-a-calendar) – TylerH Oct 04 '21 at 20:14
  • @TylerH I answered my own question, it was clear that it is using (Outlook API). Thanks for your attention. – Aproram Oct 05 '21 at 21:14
  • 1
    Yes it looks like an issue that affects the Graph API, which is what subsumed the Outlook API. – TylerH Oct 05 '21 at 22:17

3 Answers3

0

You are using a very old api endpoint, it is recommended that you use the latest ms graph api.

For your question, you need to use the client credential flow to get the token, and then specify the scope as: https://outlook.office365.com/.default.

enter image description here

Parse the token:

enter image description here

Carl Zhao
  • 8,543
  • 2
  • 11
  • 19
  • Yes, I decoded my access token and it shows the exact same expected values as your screenshot.. very bizarre.. – Aproram Jun 21 '21 at 02:15
  • @Aproram Obviously this is not a question of permissions. There is a similar answer, and I think it might work for you. share it: https://morgantechspace.com/2019/05/fix-access-to-odata-is-disabled-error-graph-api.html – Carl Zhao Jun 21 '21 at 02:25
  • I have came accross this link before. It doesn't solve this problem. It's still addressing the (graph.microsoft.com) API, which I'm not using. And the mentioned remedy is removing all the (EwsApplicationAccessPolicy) rules, which is already done according to my screenshot which has an empty list of rules. Very bizarre.. – Aproram Jun 21 '21 at 20:46
  • @Aproram Are you the administrator of the tenant? – Carl Zhao Jun 22 '21 at 01:20
  • No I'm not, but it belongs to a client of mine. The same app and permissions is working on other tenants.. This is the most odd thing.. – Aproram Jun 23 '21 at 00:50
0

After long research and trying. I realized the solution is in the (ApplicationAccessPolicy).
Reference :
https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access

https://learn.microsoft.com/en-us/powershell/module/exchange/get-applicationaccesspolicy?view=exchange-ps

Helpful Powershell commands : Test-ApplicationAccessPolicy
Get-ApplicationAccessPolicy
New-ApplicationAccessPolicy
Remove-ApplicationAccessPolicy
Set-ApplicationAccessPolicy

Hope this is helpful for anyone stuck with this issue ;)

Aproram
  • 348
  • 1
  • 3
  • 16
-1

Update:

Did you see this blog post? https://developer.microsoft.com/en-us/outlook/blogs/outlook-rest-api-v1-0-deprecation-update/

The API you're using is announced to be deprecated roughly 40 months ago (October 2017). And is actually deprecated April 30th 2021, so you're in luck if it still works for some tenants, but it will stop working very soon.

You could switch to the v2 endpoint of the outlook api, I guess that will be the most compatible. But that endpoint is also announced to be retired https://developer.microsoft.com/en-us/outlook/blogs/outlook-rest-api-v2-0-deprecation-notice/

My advice, enjoy the outlook api while you still can, but invest a little time to convert to the new Graph endpoints if you want your app to continue to work in the near future.

Old (irrelevant) answer:

Have you checked the aud claim of the token? Copy the token and paste it at https://JWT.ms

It should be https://outlook.office365.com (since you’re using the old api).

May I ask why you would want to create a new application that talks to the old api?

Apart from the obvious stuff, the documentation you’re referring to also talks about an “allow list”, if it’s empty no application has access, that is also possible.

The new api (graph endpoints) has an option to do resource scoping (allow an application with client credentials, to certain mailboxes instead of all). If that is configured in the tenant I’ve seen similar errors.

Stephan
  • 2,356
  • 16
  • 38
  • For compatibility related reason, my project is still using the old API. However, for a new app of a new organization. The project is not able to get access. Yes you are right about the access list, it's very vague and not clear. But why would OData error appear if we are using the old API (no ms graph API), and i decoded my access token and it looks normal and legit for the old API.. not sure whats the problem.. – Aproram Jun 21 '21 at 02:19