4

I am looking to access free/busy information of several Microsoft Outlook users (on the same tenant) so that I can schedule some events for them.

For this, I have several possibilities:

My issue is that all of these require either Calendars.Read or Calendars.Read.Shared permissions. I have tested solution 2 (because I preferred Application permissions) but when listing events I receive ALL the information of those events and can potentially also see attachment, which is too wide a permission.

My question is thus as follows: how can I find free time between several users then send them a Microsoft Outlook calendar invite, without requiring overly-wide permissions to be granted?

Additional question: I am currently testing fetching shared events using Calendars.Read.Shared. My first user went through the OAuth process and gave permission to my app. Another user shares their calendar (availabilities only) with this user. However, when trying to fetch the events (endpoint: https://graph.microsoft.com/v1.0/users/{user_B_Graph_ID}/events I receive a `403 - DelegatedCalendarAccessDenied" error. Has anyone experienced this?

Here is a documentation file for what I am trying to do.

Marc LaFleur
  • 31,987
  • 4
  • 37
  • 63
Konrad
  • 852
  • 11
  • 31

2 Answers2

1

Application permission scopes are extremely broad by design, it truly is an "all or nothing" scenario. If you use the Calendar.Read Application scope then you're application will have read-only access to every Calendar in the tenant. It isn't possible to restrict which calendars or which data it can access.

The /findMeetingTimes endpoint doesn't support Application scope (it uses the Calendars.Read.Shared delegated scope) and it's is likely the closest to what you're looking for.

The /findMeetingTimes workflow is a bit more cumbersome to use than /getSchedule but since /getSchedule is still in beta, you shouldn't use it in a production application. It isn't safe to pull a dependency on any /beta APIs, they can and most likely will fail from time to time.

Marc LaFleur
  • 31,987
  • 4
  • 37
  • 63
  • The issue is that our customer does not really like the idea of granting us rights to read event descriptions, attendees and attached files either. Currently I am suggesting a rather close solution to this. Using /findMeetingTimes with Calendars.Read.Shared with a user account for our application, which should have all other tenant calendars shared with it by default, but only availabilities. This is the only workaround I have thought of without having to rely on full calendar read access. Happy to hear your thoughts. – Konrad Mar 16 '19 at 20:06
0

For anyone encountering the same issue in the future. You can scope down the Calendar.Read permissions by configuring an application access policy:

Administrators can configure application access policy to limit app access to specific mailboxes and not to all the mailboxes in the organization, even if the app has been granted the application permissions of Calendars.Read or Calendars.ReadWrite.

https://learn.microsoft.com/en-us/graph/permissions-reference#calendars-permissions

Sander de Koning
  • 1
  • The main issue is that the scopes are not granular enough, e.g. using either delegated or app permission, I cannot create an event without also having full read access to all events. – Konrad Dec 15 '21 at 16:02