Write calendars events using microsoft graph api issue

Pernat Stefano 1 Reputation point

I'm trying to use the Microsoft Graph API to write calendar events within my company. First of all let me give you a little bit of context.

I'm building a node API that uses Microsoft Graph to write calendar events, so I configured my application inside the Azure Active Directory with the following application permission


I granted administrator consent as you can see from the picture.

I'm able to get the access token using msal-node

const graphToken = async () => {  
  const azureConfig = {  
    auth: {  
      clientId: process.env.CLIENT_ID,  
      authority: `https://login.microsoftonline.com/${process.env.TENANT_ID}`,  
      clientSecret: process.env.CLIENT_SECRET,  
  const tokenRequest = {  
    scopes: [process.env.GRAPH_ENDPOINT + '/.default'],  
  const cca = new msal.ConfidentialClientApplication(azureConfig)  
  const authRespose = await cca.acquireTokenByClientCredential(tokenRequest)  
  if (authRespose) {  
    return authRespose.accessToken  
  return null  

The only thing that sounds me a little odd, is the scope set to [process.env.GRAPH_ENDPOINT + '/.default'] I tried to change it ex. [process.env.GRAPH_ENDPOINT + '/Calendar.ReadWrite'] but it fires an excepion.

The next thing I'm able to do is retrive all calendars a user have right to write to, using the following Graph endpoint: https://graph.microsoft.com/v1.0/users/**{userId}**/calendars

Now the issue, when I try to do a POST request to write a calendar event for example

   POST https://graph.microsoft.com/v1.0/users/{userId}/calendars/{calendarId}/events  
       "subject": "Test",  
       "body": {  
         "contentType": "HTML",  
         "content": "Test"  
       "start": {  
         "dateTime": "2022-11-11T16:00:00",  
         "timeZone": "Europe/Rome"  
       "end": {  
         "dateTime": "2022-11-11T17:00:00",  
         "timeZone": "Europe/Rome"  

Note that calendarId is one of the ids from the previous call (Not the default calendar of userId)

I got a 403 Forbidden with the following response

       "error": {  
           "code": "ErrorAccessDenied",  
           "message": "Access is denied. Check credentials and try again."  

The same call using the userId default calendar works

I also decoded my token to see if I get some info on the root cause of the 403 error, I found this:

   "roles": [  

It seems correct to me.

I don't get if it is a scope issue, an authentication issue or something I'm missing, can someone pinpoint me in the right direction?

Thanks in advance

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,392 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,611 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Vasil Michev 100K Reputation points MVP

    Token looks OK, but make sure you're not being blocked by an application access policy in the tenant: https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access

    0 comments No comments

  2. HarmeetSingh7172 4,811 Reputation points

    Hello @Pernat Stefano

    Thanks for reaching out!

    Based on the description you provided, it seems the issue is with the specific calendar ID and token and permissions seems to be fine. Since this issue is irreproducible at our end, I would suggest you raise a support case with Microsoft Graph, where a Support Engineer will be able to assist you better. You can raise support ticket from http://aad.portal.azure.com/ or https://admin.microsoft.com/#/support/requests.

    0 comments No comments

  3. Pernat Stefano 1 Reputation point

    Basically it was my fault.

    I messed up with calendar permissions and my test user had a reviewer permission instead of an author one on the calendar I had to write to

    once I was able to identify this issue and change the permission, the call response was what expected.

    0 comments No comments