Design
Goal
Get calendar events for a given user.
Requirements
Implementation / Setup
application permissions
security group
- as described here - was created with a limited number of users with the related policy
that included related permissions (see here ). The group was later connected to the app following this instruction.Calendar.Read
and Calendar.ReadWrite
as required by the actions here and here were added to the policy mentioned in the previous setup step.Testing
Two HTTP requests were used: one to get the token and another to read events.
Identity Platform
curl --location --request POST 'https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token' \
--data-raw 'client_id=<APPLICATION_TOKEN>&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=<APPLICATION_SECRET>&grant_type=client_credentials'
Upon inspection of the token here I see that it contains required permissions:
"roles": [
"Calendars.Read",
"Calendars.ReadWrite"
]
Graph API
curl --location --request GET 'https://graph.microsoft.com/v1.0/users/<USER_ID>/calendar/events' \
--header 'Authorization: Bearer <TOKEN>'
results in the following error:
{
"error": {
"code": "ResourceNotFound",
"message": "User not found",
"innerError": {
"date": "2022-02-08T08:25:39",
"request-id": "bfaca1f9-e79b-491c-8d75-5a62317e299b",
"client-request-id": "bfaca1f9-e79b-491c-8d75-5a62317e299b"
}
}
}
The user id is from my account that I found in the Azure Active Directory details of the Azure Tenant. I double-checked that after adding other users.
Before-asking investigation
This issue looks closest to my case as it uses the client credentials auth flow. But it uses global permissions for all users in the AAD, while we use more fine-grained approach with a security group
. It also shows a different error "Resource could not be discovered."
versus "User not found"
in my case.
In order to call /{user-id}/calendar/events to work the user must have mailbox on Exchange Online if you are using client credentials for Daemon applications.
Also, It seems assigning license to a guest account (Personal account in this case) is not possible and hence the user account never gets access to the calendar service (part of o365 exchange online) due to which it cannot retrieve the calendar information of personal account.
Please refer my answer similar to this in Q&A for detailed description.
Short Version
I was missing the application permissions
and assumed that they are assigned on the level of security group
. Only restriction happen on that level.
Long Version
The updated mental model looks like this:
It means that the application permissions
for MS Graph API
are required.
The security group
is only restricting / limiting the access to the users mentioned in the policy
.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.