Write calendars events using microsoft graph api issue

Question

I'm trying to use the Microsoft Graph API to write calendar events within my company. First of all let me give you a little bit of context.

I'm building a node API that uses Microsoft Graph to write calendar events, so I configured my application inside the Azure Active Directory with the following application permission

I granted administrator consent as you can see from the picture.

I'm able to get the access token using msal-node

const graphToken = async () => {  
  const azureConfig = {  
    auth: {  
      clientId: process.env.CLIENT_ID,  
      authority: `https://login.microsoftonline.com/${process.env.TENANT_ID}`,  
      clientSecret: process.env.CLIENT_SECRET,  
    },  
  }  
  
  const tokenRequest = {  
    scopes: [process.env.GRAPH_ENDPOINT + '/.default'],  
  }  
  
  const cca = new msal.ConfidentialClientApplication(azureConfig)  
  const authRespose = await cca.acquireTokenByClientCredential(tokenRequest)  
  
  if (authRespose) {  
    return authRespose.accessToken  
  }  
  
  return null  
}  

The only thing that sounds me a little odd, is the scope set to [process.env.GRAPH_ENDPOINT + '/.default'] I tried to change it ex. [process.env.GRAPH_ENDPOINT + '/Calendar.ReadWrite'] but it fires an excepion.

The next thing I'm able to do is retrive all calendars a user have right to write to, using the following Graph endpoint: https://graph.microsoft.com/v1.0/users/**{userId}**/calendars

Now the issue, when I try to do a POST request to write a calendar event for example

   POST https://graph.microsoft.com/v1.0/users/{userId}/calendars/{calendarId}/events  
   {  
       "subject": "Test",  
       "body": {  
         "contentType": "HTML",  
         "content": "Test"  
       },  
       "start": {  
         "dateTime": "2022-11-11T16:00:00",  
         "timeZone": "Europe/Rome"  
       },  
       "end": {  
         "dateTime": "2022-11-11T17:00:00",  
         "timeZone": "Europe/Rome"  
       }  
   }  

Note that calendarId is one of the ids from the previous call (Not the default calendar of userId)

I got a 403 Forbidden with the following response

   {  
       "error": {  
           "code": "ErrorAccessDenied",  
           "message": "Access is denied. Check credentials and try again."  
       }  
   }  

The same call using the userId default calendar works

I also decoded my token to see if I get some info on the root cause of the 403 error, I found this:

   ...  
   "roles": [  
       "Calendars.Read",  
       "User.Read.All",  
       "Calendars.ReadWrite"  
     ],  
   ...  

It seems correct to me.

I don't get if it is a scope issue, an authentication issue or something I'm missing, can someone pinpoint me in the right direction?

Thanks in advance

Answer 1

Token looks OK, but make sure you're not being blocked by an application access policy in the tenant: https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access

Answer 2

Hello @Pernat Stefano

Thanks for reaching out!

Based on the description you provided, it seems the issue is with the specific calendar ID and token and permissions seems to be fine. Since this issue is irreproducible at our end, I would suggest you raise a support case with Microsoft Graph, where a Support Engineer will be able to assist you better. You can raise support ticket from http://aad.portal.azure.com/ or https://admin.microsoft.com/#/support/requests.

Answer 3

Basically it was my fault.

I messed up with calendar permissions and my test user had a reviewer permission instead of an author one on the calendar I had to write to

once I was able to identify this issue and change the permission, the call response was what expected.