Azure Active directory API permissions

Question

I have got a scenario where I would like to retrieve calendar bookings/meetings from Exchange using Graph APIs. These meetings should only be available in the application running on control/touch panel located in that room. In order to do that, I have registered an App in Azure AD and using MSAL's .NET PublicClientApplication with necessary API permission i.e. Calendars.Read which requires Admin consent and I am using Device code flow in the application which generates a code whenever I try to run the app.

I see that it's also possible to configure a ConfidentialClient which acts on behalf of application and not the user. Also, this requires a pre-consent from Admin.

Question :

1. Not sure which type of authentication mechanism is best suitable in this Scenario ?
2. Is it possible to make API permissions for e.g. "Calendars.Read" to work for a specific account? Like in this case just for that room

Answer 1

Not sure which type of authentication mechanism is best suitable in this Scenario ?

I think both of them could meet your requirement, for the security, I recommend you to use the option one. Something you should note, if you are using the delegated permission Calendars.Read with auth code flow, the user need to log in the App, then the app do operations on behalf of the user, essentially the permission comes from the user.

If you use the application permission Calendars.Read, it uses the client credential flow, the permission comes from the application, it means everyone in the room can use the application to retrieve calendar bookings/meetings.

Is it possible to make API permissions for e.g. "Calendars.Read" to work for a specific account? Like in this case just for that room

No, you could not make the API permission to work just for a specific account.