Share via

Accessing Outlook Calendar Graph API from background service

Alexander R 20 Reputation points
2024-07-03T14:50:37.1266667+00:00

I'm working on a webapp (SPA and backend) that must constantly access the user's Outlook calendar. The users may come from multiple directories and personal accounts. The app will work 24/7, running the background service and modifying the user's calendar without the user's involvement. So far, I have completed the following:

  1. I created AAD app registration with supported account types "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)."
  2. I set RedirectURI to be my SPA base URL and created a secret.
  3. I implemented authentication in SPA with MSAL (msal-browser). My authorization request looks like this: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?scope=https://graph.microsoft.com/Calendars.ReadWrite+openid+profile+offline_access&response_type=code&client_id=my_client_id...
  4. After user successfully authenticates and gives all permissions, his account looks like User's image
  5. I also retrieved tenantId from the id token (tid claim)
  6. Just to verify that my access_token is valid and permissions set correctly, I successfully requested events from https://graph.microsoft.com/v1.0/me/events
    At this point, I assume the user has successfully given all the required permissions to my app, and my background service can access the user's calendar
  7. I successfully requested access_token with client_credentials flow 
       curl --location 'https://login.microsoftonline.com/**tenantId_from_step_5**/oauth2/v2.0/token' \
   --header 'Content-Type: application/x-www-form-urlencoded' \
   --data-urlencode 'client_id=**clientId_from_step1**' \
   --data-urlencode 'scope=https://graph.microsoft.com/.default' \
   --data-urlencode 'client_secret=**secret_from_step2**' \
   --data-urlencode 'grant_type=client_credentials'
  8. I requested user's events with the access_token obtained on the previous step https://graph.microsoft.com/v1.0/users/my_test_user@outlook.com/events but got the following any help or suggestions 
       {
       "error": {
           "code": "ErrorAccessDenied",
           "message": "Access is denied. Check credentials and try again."
       }
   }

I'm stuck at this point and would appreciate any help or suggestions.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,422 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. CarlZhao-MSFT 40,231 Reputation points
    2024-07-04T03:02:17.6333333+00:00

    Hi @Alexander R

    The client credentials flow only supports application permissions. Have you granted the corresponding application permissions to the calling app?

    User's image

    User's image

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.