Share via

Graph API call with same assigned roles only works in one tenant

ChrisPortelli-0330 35 Reputation points
2025-03-25T16:31:08.07+00:00

We are trying to consume the Update bookingbusiness endpoint using the client credentials flow. We currently have assigned the following application permissions to our two registered apps sitting on two different tenants:

  • Bookings.ReadWrite.All
  • BookingsAppointment.ReadWrite.All
  • Bookings.Read.All
  • Calendars.Read (assigned due to other functionality)

We are observing that on one tenant, this API request is returning a 204 No Content, as expected. However, on another tenant with the same permissions, it is returning a 403 Forbidden. The documentation specifies that "Bookings.ReadWrite.All" is the least privileged permission required.

The request is shown below (the booking page's email address is redacted):

curl --location --request PATCH 'https://graph.microsoft.com/v1.0/solutions/bookingBusinesses/******@MyDomain.com' \
--header 'Content-Type: application/json' \
--header 'Authorization: ••••••' \
--data '{
    "schedulingPolicy": {
        "sendConfirmationsToOwner": false
    }
}'

The access token generated for both tenants confirms the same roles being assigned - see the below screenshot with the "roles" from the JWT token obtained from the non-working tenant. Moreover, these roles have also been granted admin consent.

User's image

What could be the root cause of this?

Microsoft Security | Microsoft Graph
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pardha Saradhi Reddy Jaladi-MSFT 550 Reputation points Microsoft External Staff
    2025-03-25T19:35:24.4833333+00:00

    Hello ChrisPortelli-0330

    Thank you for reaching out to Microsoft Support!!

    Based on the information provided, the root cause of the 403 Forbidden error on one tenant, despite having the same permissions and admin consent, could be due to one or more of the following reasons:

    Tenant-Specific Configuration:

    • Check if the BookingBusiness resource exists and is properly configured in the tenant returning the error. If the resource does not exist or is misconfigured, the API call will fail.
    • Verify that the email address (******@MyDomain.com) used in the request corresponds to a valid BookingBusiness in the tenant.

    Permissions Propagation:

    • Even though admin consent has been granted, there might be a delay in permissions propagation. Try re-granting admin consent for the application in the affected tenant to ensure permissions are fully applied.

    API Endpoint and Resource Access:

    • Confirm that the API endpoint (https://graph.microsoft.com/v1.0/solutions/bookingBusinesses/) is accessible and that the resource (******@MyDomain.com) is available in the tenant.
    • Test the GET method on the same endpoint to verify if the resource can be retrieved successfully. If the GET request fails, it indicates an issue with the resource or permissions.

    Licensing and Service Availability:

    • Ensure that the affected tenant has the necessary Microsoft 365 licenses to use the Bookings API. The Bookings service must be enabled for the tenant.

    If you still encounter the issue despite trying these steps, I would recommend you to raise a support case with Microsoft Graph. A Support Engineer will be able to look into this issue and assist you better. You can raise support ticket from New support request - Microsoft Entra admin center or https://admin.microsoft.com/#/support/requests.Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.