Reputation: 41
403 error access denied even with correct perissions using Microsoft Graph api with the PHP SDK when accessing calendar events
I am having trouble accessing calendar events of users using the Microsoft Graph api and get a access denied response even though I have set all of the correct permissions and more, both application and delegated for (Calendars.Read Delegated, Calendars.Read Application, Calendars.Read.Shared Delegated, Calendars.ReadBasic Delegated, Calendars.ReadBasic.All Application, Calendars.ReadWrite Delegated, Calendars.ReadWrite Application, Calendars.ReadWrite.Shared Delegated). I am using the microsoft developer instant sandbox users who all have Microsoft 365 E5 Developer licences and all have Exchange Online Plan 2.
The code I use to retrieve the access token and send the calendar request is below:
$guzzle = new \GuzzleHttp\Client();
$url = 'https://login.microsoftonline.com/' . $tenantId . '/oauth2/v2.0/token';
$token = json_decode($guzzle->post($url, [
'form_params' => [
'client_id' => $clientId,
'client_secret' => $clientSecret,
'scope' => 'https://graph.microsoft.com/.default',
'grant_type' => 'client_credentials',
],
])->getBody()->getContents());
$accessToken = $token->access_token;
$graph = new Graph();
$graph->setBaseUrl("https://graph.microsoft.com/")
->setAccessToken($accessToken);
$ptr = $graph->createCollectionRequest('GET', '/users/{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}/events')
->setPageSize(100);
If I use the same code with the endpoint /users/{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}/calendars I get a list of the users calendars but as soon as I try to get events I get a 403 error. The same issue occours if I use the deligated auth flow and try to access events as a signed in user, again I am able to access a list of calendars.
When decoding the access token the roles section looks like this:
"roles": [
"Calendars.Read",
"Mail.ReadBasic.All",
"Group.Read.All",
"User.Read.All",
"Calendars.ReadBasic.All",
"GroupMember.Read.All",
"Calendars.ReadWrite",
"Mail.Send"
]
Are there other permissions that need to be set for an app or a user to make this work?
Let me know if I can add any more info to help with answers, sny sugesstions would be helpful
Thanks
UPDATE
Having looked further it could be an issue with "Limiting application permissions to specific Exchange Online mailboxes" (https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access)
There was a policy defined but having removed this (and waiting for that update to become effective) I am still getting the same error. I assume therefore that a policy is needed to allow access however I can't find any documentation about this.
Upvotes: 0
Views: 617
Answers (1)
Reputation: 41
So the fix (given here https://learn.microsoft.com/en-us/answers/questions/1167148/microsoft-graph-throwing-403-error-for-calendar-wi) is to only have the lowest level permission, otherwise you get the error response.
Upvotes: 0
Related Questions
- I'm trying to find out what it's called
- What is this called (JS)
- What's such magic javascript code used for and how is it created?
- What is this JavaScript construct called
- What is this technique called in javascript?
- What do you call this kind of thing in JavaScript?
- What is the coding technique called? function[]()
- What kind of technique is used right here?
- What Do You Call The Approach Being Used In This JavaScript Code?
- What javascript coding style is this?