MS Graph API: Reading multiple users calendar free/busy data with restricted access to calendars

Question

MS Graph API: Reading multiple users calendar free/busy data with restricted access to calendars

ToniMartikainen-1813 0

Hello All!

We have a scheduler application which is used to read and write users calendars by using MS Graph API.

In Azure, we have registered an application which has a Calendar.ReadWrite Application permission to read and write users calendars. We also have a (technical) user added into the appliation member, so we can use that technical user to access the other users' calendars like this POST /users/<technical_user@some.domain>/calendar/getSchedule, and adding the users SMTP addresses into the HTTP request body, like in here https://learn.microsoft.com/en-us/graph/api/calendar-getschedule?view=graph-rest-1.0&tabs=http#response-1

The problem here is, that the technical user can access all users calendars, and we would like to restrict the access only to specified calendars. We are planning to use ApplicationAccessPolicy by creating a Mail-enabled security group and adding those specified users into that group. And then use the New-ApplicationAccessPolicy PowerShell command to apply the security group for the Application.

But, when we add the policy, we get the following error

{
  "error": {
    "code": "ErrorAccessDenied",
    "message": "Access to OData is disabled."
  }
}

What might be causing this? We are running out of ideas, and any help would be greatly appreciated.

1 answer

Your answer

Answer 1

Ab-8756 805

Hello ToniMartikainen-1813,
Thank you for reaching out.

Looking at your error, it seems like the issue is related to the EwsApplicationAccessPolicy. Please run "Get-OrganizationConfig | select EwsApplicationAccessPolicy, EwsAllowList, EwsBlockList"
See if EwsApplicationAccessPolicy is set to EnforceAllowList which means only the applications (user agent strings) configured in EwsAllowList are able to access EWS. If EwsAllowList is empty, that means there is no application which is allowed to access EWS.
Please go through this article for further details;- https://learn.microsoft.com/en-us/archive/blogs/wushuai/how-to-fix-access-to-odata-is-disabled-when-calling-graph-api
Please also check whether a user-specific policy has been applied;- Get-CASMailbox <user-principal-name> | fl EwsApplicationAccessPolicy,EWS*List

Hope that helps.
Thanks
--please don't forget to upvote and Accept as answer if the reply is helpful--

ToniMartikainen-1813 0

Hello!

Thank you for you reply!

Unfortunately I couldn't get the system working with your tips.

I checked that EwsApplicationAccessPolicy and it was empty:

PS C:\WINDOWS\system32> Get-OrganizationConfig | select EwsApplicationAccessPolicy, EwsAllowList, EwsBlockList

EwsApplicationAccessPolicy EwsAllowList      EwsBlockList
-------------------------- ------------      ------------

I created a new entry to EwsAllowList

PS C:\WINDOWS\system32> Set-OrganizationConfig -EwsApplicationAccessPolicy "EnforceAllowList" -EwsAllowList "Scheduler*"
PS C:\WINDOWS\system32> Get-OrganizationConfig | select EwsApplicationAccessPolicy, EwsAllowList, EwsBlockList

EwsApplicationAccessPolicy EwsAllowList EwsBlockList
-------------------------- ------------ ------------
EnforceAllowList           {Scheduler*}

After these I added the User-Agent: Scheduler/* header to the API call (We are using Java libraries to connect the Graph, if that would matter).

In addition to those settings, we already have a Mail-enabled security group (which contains user Identities in the test setup. The access for these users calendars should be allowed)

PS C:\WINDOWS\system32> Get-Group -Identity "Security test" | select DisplayName, GroupType

DisplayName   GroupType
-----------   ---------
Security test Universal, SecurityEnabled

The new ApplicationAccessPolicy is created with New-ApplicationAccessPolicy -AppId xxx -PolicyScopeGroupId sectest@xxx -AccessRight RestrictAccess

PS C:\WINDOWS\system32> Get-ApplicationAccessPolicy


ScopeName        : Security test
ScopeIdentity    : xxx
Identity         : xxx 
AppId            : xxx
ScopeIdentityRaw : xxx
Description      : xxx
AccessRight      : RestrictAccess
ShardType        : All
IsValid          : True
ObjectState      : Unchanged

The Test-ApplicationAccessPolicy command works as I expect: If I test with the Identity which should be accessible, I get the answer:

PS C:\WINDOWS\system32> Test-ApplicationAccessPolicy -AppId xxx -Identity  test2@xxx

AppId             : xxx
Mailbox           : xxx
MailboxId         : xxx
MailboxSid        : xxx
AccessCheckResult : Granted

And with this Identity, which is not in the security group, the access should be denied

PS C:\WINDOWS\system32> Test-ApplicationAccessPolicy -AppId xxx -Identity  test1@xxx


AppId             : xxx
Mailbox           : xxx
MailboxId         : xxx
MailboxSid        : xxx
AccessCheckResult : Denied

But with all of these, I still get "Access to OData is disabled" error. I have also waited over night to be sure that all the above are really taken into effect.

I'm wondering if the POST /users/<technical_user@some.domain>/calendar/getSchedule is a proper way get the schedule information now, or should some other way to be used?

ToniMartikainen-1813 0 Reputation points

2023-06-14T08:11:30.3466667+00:00

Edit: Double posted comment
Ab-8756 805 Reputation points

2023-06-14T15:09:26.7866667+00:00

Hi ToniMartikainen-1813,
Thank you for your response.

I am seeing some incident opened internally for GetSchedule request where users are getting "ErrorAccessDenied" error. I would recommend you check other http request for the same mailbox like you can run inbox message or GET /users/{id | userPrincipalName}/events/{id} to verify if the issue is with only for GetSchedule request.
Thanks.
ToniMartikainen-1813 0 Reputation points

2023-06-15T07:32:01.1+00:00
Hi! Thank you for reply and suggestions again!

A bug in this endpoint might explain the things...

When I call

GET /users/test1@xxx/events

I get the ErrorAccessDenied, as expected, because the test1 user is not in the security group

And when I call

GET /users/test2@xxx/events

I get a 200 OK response, as expected, because the test2 user is in the security group.

So in that sense the /events API seems to work as expected.

I did some further testing with the technical user and getSchedule endpoint: If the technical user is not in the security group, then POST /users/<technical_user>/calendar/getSchedule can't access any users (not user1 nor user2) schedules. If the technical user is added into the security group, then it can access all users (both user1 and user2) calendars. I'm expecting that user1's schedule couldn't be able to read, and user2's schedule should be able to read.

You mentioned the incident is opened internally. Do you know if there is any external sources available regarding this problem? I mean something that we could follow and see when the problem is solved (or is it?), or any status at all? Is there any estimates when this incident would be solved? :)

Thank you!

Share via

MS Graph API: Reading multiple users calendar free/busy data with restricted access to calendars

1 answer

Your answer