Microsoft Graph API Get Group Events

1
votes

I'm trying to use the MS Graph API (which I'm new at) to write a Powershell script to copy the events from a private group calendar into a public group calendar.

So far I've managed to get the private group using this call:

$api = "https://graph.microsoft.com/v1.0/groups"
$groups = $null
try { $groups = Invoke-RestMethod -Headers @{Authorization = "Bearer $($token.access_token)" } -Uri $api -Method "GET" -ContentType "application/json" }
catch { Write-host -Foreground Red $_}
$calendar_group = $groups.value | ? -Property mailNickname -eq $pvt_group

However, when I try and move this forth and get the events for that group, I get bounced on a 403 error.

The calls I'm trying are either:

$api = "https://graph.microsoft.com/v1.0/groups/$group_ID/calendar/events"
Write-Host $api -Fore Green
$events = $null
try { $events = Invoke-RestMethod -Headers @{Authorization = "Bearer $($token.access_token)" } -Uri $api -Method "GET" -ContentType "application/json" }
    catch { Write-host -Foreground Red $_}

Or:

$api = "https://graph.microsoft.com/v1.0/groups/$group_ID/events"
Write-Host $api -Fore Green
$events = $null
try { $events = Invoke-RestMethod -Headers @{Authorization = "Bearer $($token.access_token)" } -Uri $api -Method "GET" -ContentType "application/json" }
catch { Write-host -Foreground Red $_}

Both fail on the same error. NB: the $group_ID variable is correctly valued by the first call.

I've the app registered on Azure with the following permimssions:

  1. Calendars.Read Delegated
  2. Calendars.Read.Shared Delegated
  3. Calendars.ReadWrite Delegated
  4. Calendars.ReadWrite.Shared Delegated
  5. Directory.AccessAsUser.All Delegated
  6. Directory.Read.All Delegated
  7. Directory.Read.All Application
  8. Directory.ReadWrite.All Delegated
  9. Directory.ReadWrite.All Application
  10. Group.Read.All Delegated
  11. Group.Read.All Application
  12. Group.ReadWrite.All Delegated
  13. Group.ReadWrite.All Application
  14. GroupMember.Read.All Delegated
  15. GroupMember.Read.All Application
  16. User.Read Delegated

Does anybody know what I'm doing wrong? Many thanks in advance.

1
azurepowershellmicrosoft-graph-api
Could you copy paste the value of $($token.access_token) to jwt.ms and check the value in the scp element. Does it contain the Group.Read.All?Melissa
What I find very helpful for these situations is the Graph Explorer. Just mentioning it in case you haven't checked that one out.Melissa
hi @Melissa thanks for your input. It's all really new to me. re: jwt.ms: there's no scp element. However in the roles section of the claim these are all listed: Group.Read.All,Directory.ReadWrite.All,Group.ReadWrite.All,Directory.Read.All,GroupMember.Read.All re: Graph Explorer: I run the query there, I get the same error: "message": "Access is denied. Check credentials and try again.", along with the suggestion: Forbidden - 403 - 73ms. You need to consent to the permissions on the Modify permissions (Preview) tab which I think I did already.arf
I can reproduce your problem. I will try to investigate it today. By the way, is there a reason why you don't use the Az powershell modules?Melissa
@Melissa thanks for your time and effort. No specific reason, I guess I just started experimenting that way.arf

1 Answers

0
votes

The access token that you use, is an application access token (the permissions are defined under the Roles section). If a user access token is used, you will see the permissions under de scp section.

In the Microsoft docs (here) it is stated that calling the /calendar/events unfortunately is not supported with an application access token. printscreen permissions

If you assign your account to the Groups administrator role, you will implicitly be assigned the Group.Read.All permission. Then use the access token from your account to call the endpoint without any issues (because you've already granted the needed permissions for delegation in the App Registration).