Microsoft Graph API - 403 Forbidden for v1.0/me/events

0
votes

I'm building a page with numerous calls to Microsoft Graph to different end points: to get OneDrive files, emails, user properties, etc.

The one call that does not work is to get the current user's calendar events. The end point I'm using is https://graph.microsoft.com/v1.0/me/events. The response is 403 Forbidden.

enter image description here

According to the Microsoft documentation here the application needs Calendars.Read or Calendars.ReadWrite permissions. I checked both of these under delegated permissions and still the same problem. I then ticked all 51 permission scopes in Azure AD for this app, and still the same problem.

enter image description here

I also tried creating a new app in Azure AD, but this did not help.

How can I use Microsoft Graph to get back the current user's calendar events? What am I missing?

EDIT:

I'm using ADAL.js for authentication. This is the code I have in my own doAuth function that takes in the client ID of the application.

function doAuth(clientId) {
    var variables = {
        // Domain of Azure AD tenant
        azureAD: // the appropriate URL,
        // ClientId of Azure AD application principal
        clientId: clientId,
        // Name of SharePoint tenant
        sharePointTenant: // the appropriate URL
    }

    // Create config and get AuthenticationContext
    window.config = {
        tenant: variables.azureAD,
        clientId: variables.clientId,
        postLogoutRedirectUri: window.location.origin,
        endpoints: {
            graphApiUri: "https://graph.microsoft.com",
            sharePointUri: "https://" + variables.sharePointTenant + ".sharepoint.com",
        },
        cacheLocation: "localStorage"
    }

    var authContext = new AuthenticationContext(config);
    var isCallback = authContext.isCallback(window.location.hash);
    authContext.handleWindowCallback();

    if (isCallback && !authContext.getLoginError()) {

        window.location = authContext._getItem(authContext.CONSTANTS.STORAGE.LOGIN_REQUEST);
    }

    var user = authContext.getCachedUser();
    var token = authContext.getCachedToken(clientId);

    if (!user || !token)
        authContext.login();

    return authContext
}
2
javascriptjquerycalendaroffice365microsoft-graph-api
Have you checked the JWT token you get back from login.microsoftonline.com whether it contains the required scopes?RasmusW
@RasmusW can you explain please how I go about inspecting the token for scopes? Is there a method I need to use on the AuthenticationContext object?Submits
I just meant doing it manually. You can get sites like jwt.io or jwt.calebb.net to decode it for you. The last one even includes some documentation about each of the properties if they are standard JWT.RasmusW
I've added my ADAL code to my question. How do I check the JSON object that is returned from login.microsoftonline.com?Submits

2 Answers

1
votes

It sounds like you've changed the scopes assigned to the application. When this happens you also need to have user's reauthorize using those new scopes. To do this, add &prompt=consent to the query string of your initial ODATA redirect. This will force your new scopes to be presented to the user for authorization.

You can trigger this in the ADAL.js library using the extraQueryParameter parameter in your configuration:

// Create config and get AuthenticationContext
window.config = {
    tenant: variables.azureAD,
    clientId: variables.clientId,
    postLogoutRedirectUri: window.location.origin,
    endpoints: {
        graphApiUri: "https://graph.microsoft.com",
        sharePointUri: "https://" + variables.sharePointTenant + ".sharepoint.com",
    },
    cacheLocation: "localStorage",
    extraQueryParameter: "prompt=consent"
}
0
votes

In the end I wasn't able to figure this out and ended up using the Exchange API instead of Graph for mail, calendar and tasks (tasks would have required Exchange API anyway, since this is only currently available in the beta Graph API).