I am trying to access calendar events using the Microsoft Graph API (https://graph.microsoft.com/v1.0/me/calendarView) on node.js following this permissions guide but I receive the error response :
{
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "7c2...",
"date": "2016-07-13T21:19:11"
}
}
The call was made with using :
request({url : 'https://graph.microsoft.com/v1.0/me/calendarview', qs : queryParams, 'auth': {'bearer': token}}, function (error, response, body) {
...
});
The request has a valid token and the call to .../me/ via
request({url : 'https://graph.microsoft.com/v1.0/me/', 'auth': {'bearer': token}}, function (error, response, body) {
...
});
returns :
{"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#users/$entity",
"id":"<valid_id>",
"businessPhones":[],
"displayName":"<valid_name>",
"givenName":"<valid_name>",
"jobTitle":"<valid_title>",
"mail":"<valid_email>",
"mobilePhone":"<valid_cell>",
"officeLocation":null,
"preferredLanguage":"en-US",
"surname":"<valid_name>",
"userPrincipalName":"<valid_email>"}
So I am assuming this is an issue with permissions set on https://manage.windowsazure.com/ where I created two applications, one for the node server and one for the web client application. I am using passport for authentication and the client id and secret for the web client application.
var AzureOAuthStrategy = require('passport-azure-oauth').Strategy;
passport.use(new AzureOAuthStrategy({
clientId: config.live.clientID,
clientSecret: config.live.clientSecret,
tenantId: config.live.tenant,
resource: 'https://graph.microsoft.com/',
redirectURL: config.live.callbackURL
},
function(accessToken, refreshToken, profile, done) {
Here is what I set for "permissions to other applications" on the node application:
- Windows Azure Active Directory :
- Delegated Permissions
- Read all users' full profiles
- Sign in and read user profile
- Delegated Permissions
- Microsoft graph :
- Delegated Permissions
- Have full access to user calendars
- Read user calendars
- Delegated Permissions
- (see below)
- Delegated Permissions
- Access
- Delegated Permissions
Here is what I set for "permissions to other application" on the web client application:
- Microsoft Graph :
- Application Permissions
- Read and write calendars in all mailboxes
- Read calendars in all mailboxes
- Delegated Permissions
- Sign users in
- Read user contacts
- Have full access to user calendars
- Read user calendars
- Sign in and read user profile
- Application Permissions
- Office Exchange 360 Online :
- Application Permissions
- Read and write calendars in all mailboxes
- Read calendars in all mailboxes
- Delegated Permissions
- Read user and share calendars
- Read and write user and shared calendars
- Read all users' basic profiles
- Read user profiles
- Read user contacts
- Read user calendars
- Application Permissions
- Windows Azure Active Directory
- Application Permissions : none
- Delegated Permissions
- Sign in and read user profile
I'm not 100% on what the relationship between the permissions set within the azure management portal and specific end point access. I have read the API scope article but discussion in that article is a bit too conceptual for my needs.
Ultimately I am trying to access and write events to all reservable resources within a tenant id.
