How-to: Accessing other mailbox calendars with Graph

Accessing calendars with Graph requires some configuration in permissions before the Graph call will work. What is required relates to the type of application and that drives the type of permissions – Delegate or Admin. Below is information to help understand and help setting up the needed permissions.

Starting information:

For Graph to read from a shared mailbox (similar to Outlook delegate access), you need to set permissions in Azure and may also need to set sharing permissions.  If you set Calendars.Read.Shared permissions then the user would need to share their calendar.  If you set Calendars.Read for your application, then it can access all calendars in the org – there is no way to filter the scope.

Microsoft Graph permissions reference
https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference
Look under "Microsoft Graph permission names" and "Calendar permissions"

In Azure, set:

Calendars.Read.Shared permissions:  Allows the app to read events in all calendars that the user can access, including delegate and shared calendars. (Delegated permissions)

or

Calendars.Read:   Allows the app to read events of all calendars without a signed-in user.  (Application Permissions)

It's the same for REST:

Outlook Calendar REST API reference
https://msdn.microsoft.com/en-us/office/office365/api/calendar-rest-operations

See "Using the Calendar REST API"

Delegate permissions:

For delegate permissions, three things are needed:

  • Calendar.Read.Shared or Calendar.ReadWrite.Shared in Azure.
  • The user also needs to grant shared permission to the calendar.
  • In the scope of requested permissions in your code, ask for the same permissions you granted in Azure.

Here is how a user can share their calendar for an application using Delegate permissions:

Calendar sharing in Office 365
https://support.office.com/en-us/article/calendar-sharing-in-office-365-b576ecc3-0945-4d75-85f1-5efafb8a37b44

Share an Outlook calendar with other people
https://support.office.com/en-us/article/share-an-outlook-calendar-with-other-people-353ed2c1-3ec5-449d-8c73-6931a0adab88

Admin permissions:

For Admin permissions (used by Background services or daemons Applications), Admin consent will need to be granted for Calendar.Read or Calendar.ReadWrite. This will allow the application to access all mailboxes in the organization. These permissions cannot be filtered to anything less than all mailboxes.

Get access without a user
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service

Daemon Applications:

Here is additional information on building a daemon application:

Build service and daemon apps in Office 365
https://msdn.microsoft.com/en-us/office/office365/howto/building-service-apps-in-office-365

Building Daemon or Service Apps with Office 365 Mail, Calendar, and Contacts APIs (OAuth2 client credential flow)
https://blogs.msdn.microsoft.com/exchangedev/2015/01/21/building-daemon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow

 Azure-Samples – Active Directory DotNet Daemon V2
https://github.com/Azure-Samples/active-directory-dotnet-daemon-v2  

Throttling:

Here are articles to review on Graph/Rest throttling:

Microsoft Graph throttling guidance
https://developer.microsoft.com/en-us/graph/docs/concepts/throttling

Throttling coming to Outlook API and Microsoft Graph
https://blogs.msdn.microsoft.com/exchangedev/2017/04/07/throttling-coming-to-outlook-api-and-microsoft-graph

Gotchas – Microsoft Graph/Outlook REST API throttling, best practices
https://blogs.msdn.microsoft.com/deva/2018/06/01/gotchas-microsoft-graphoutlook-rest-api-throttling-best-practices

Additional:

Here is how to list shared mailboxes:

How to get a list of Shared mailboxes and users with permissions to those mailboxes in Exchange Online?
https://blogs.technet.microsoft.com/dpickett/2016/04/29/how-to-get-a-list-of-shared-mailboxes-and-users-with-permissions-to-those-mailboxes-in-exchange-online

Be sure to also read the following, which covers how the credentials flow:

Azure Active Directory v2.0 and the OAuth 2.0 client credentials flow
/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds

Information on permission scopes:

Scopes, permissions, and consent in the Azure Active Directory v2.0 endpoint
/en-us/azure/active-directory/develop/active-directory-v2-scopes#admin-restricted-scopes

Permission scopes | Graph API concepts
https://msdn.microsoft.com/en-us/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes