401 Unauthorized Error When Fetching Calendar Events via Microsoft Graph API Despite Correct Permissions.

Question

I have created a Python application registered in Azure App Registration. This application is intended to access Microsoft Graph API to manage users' calendar events.

The app works by generating a JWT token with the permissions granted to it during app registration. These permissions include access to calendar events.

I have created several users within the Azure AD tenant. Each user logs in, and the app attempts to fetch past calendar events for them. If no past events are found, the app then attempts to create a new calendar event.

However, when trying to fetch existing calendar events for a user, the application consistently receives a 401 Unauthorized error response. This suggests that the token being used does not have the appropriate permissions, or that the token is not being accepted for delegated access to the user’s data.

What I have verified so far:

The app has the correct Microsoft Graph permissions (Calendars.Read, Calendars.ReadWrite).

These permissions have been granted admin consent in the Azure portal.

The JWT is successfully generated and includes the necessary scopes.

The issue appears when accessing user-specific calendar data via Microsoft Graph API (/users/{id}/calendar/events).

Creating new events works fine, but only fetching fails with 401.

Answer 1

Hello @Joseph Burruss,

The error "401 Unauthorized" usually occurs if the Microsoft Entra ID application does not required permissions to perform the action.

• I can see you have granted Calendars.Read application type API permission to the Microsoft Entra ID application and still facing the error.

To resolve the error, remove and revoke all permissions of the specific Microsoft Entra ID app and grant the required permission Calendars.Read application type API permission again:

Used the below python code to fetch the user's calendar event:

tenant_id = "TenantID"

client_id = "ClientID"

client_secret = "Secret"

user_id = "******@xxx.onmicrosoft.com"  

scope = "https://graph.microsoft.com/.default"

token_url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token"

token_data = {

    "grant_type": "client_credentials",

    "client_id": client_id,

    "client_secret": client_secret,

    "scope": scope

}

token_headers = {

    "Content-Type": "application/x-www-form-urlencoded"

}

token_response = requests.post(token_url, data=token_data, headers=token_headers)

if token_response.status_code != 200:

    print("Failed to get token:", token_response.status_code, token_response.text)

    exit()

access_token = token_response.json()["access_token"]

graph_url = f"https://graph.microsoft.com/v1.0/users/{user_id}/calendar/events"

graph_headers = {

    "Authorization": f"Bearer {access_token}"

}

response = requests.get(graph_url, headers=graph_headers)

if response.status_code == 200:

    events = response.json().get('value', [])

    print(f"Found {len(events)} events:")

    for event in events:

        print(f"- {event['subject']} ({event['start']['dateTime']} to {event['end']['dateTime']})")

else:

    print("Error fetching events:", response.status_code, response.text)

If still the issue persists, try to create a new Microsoft Entra ID application from scratch and try granting only Calendars.Read application type API permission.

• Decode the access token in jwt.ms and check if the role Calendars.Read is present.

Reference:

"ErrorAccessDenied Message: Access is denied. Check credentials and try again." When I try to get events in my email - Microsoft Q&A

Hope this helps!

If this answers your query, do click Accept Answer and Yes for was this answer helpful, which may help members with similar questions.

If you have any other questions or are still experiencing issues, feel free to ask in the "comments" section, and I'd be happy to help.