Search code examples
c#exchangewebservicesmicrosoft-graph-api

What permission is required to get the WorkHours of a calendar?

Background

I am trying to connect to Office 365, to read the calendars of users that have granted permission. I have tried two options:

  • Exchange Web Services (EWS)
  • Microsoft Graph

EWS works but has the downside that I use login/password combinations to connect. Even though I store them encrypted, I'd rather not store them at all.

Microsoft Graph works as well, but has a gigantic downside; any updates I make to an item using the API is sent to all attendees. This behavior can be turned off when using the EWS API, but not (yet?) for Graph.

I'd like to take the OAuth implementation I have for Microsoft Graph, and use the EWS service to connect. No updates to attendees unless users want them, and no stored credentials.

The problem

For my application to work properly, I need to;

  • Get the timezone of the calendar, which I do by reading the person's work hours;
  • Read and write calendar items, which is the purpose of the application.

I have already established a connection with OAuth to Office365, using OAuth.

I cannot figure out the smallest subset of permissions I need. I have not found any documentation regarding this. Any subset of rights I tried, I get a 401 when I ask for WorkHours.

Minimal Code sample

This will work when I enable 38 non-admin permissions that the app registration for Exchange Online supports, but will fail for every subset I have tried.

[TestMethod]
public void ConnectUsingEws()
{
    var accessToken = "eyJz93a...k4laUWw";
    var credentials = new OAuthCredentials(accessToken);
    var service = new ExchangeService(TimeZoneInfo.Utc);

    service.Url = new Uri("https://outlook.office365.com/EWS/exchange.asmx");
    service.TraceEnabled = true;
    service.TraceFlags = TraceFlags.All;
    service.Credentials = credentials;

    // This next line is where the service will always throw a 401.
    var workHours = UserConfiguration.Bind(service, "WorkHours",
        WellKnownFolderName.Calendar, UserConfigurationProperties.All);

    // Do some XML magic on workHours to get the timezone.
}

TLDR

I'm sure it's one permission that needs to be enabled, and I'm also fairly certain it's not one that's very obvious.

Solution

  • EWS doesn't support the same level of Permission scopes that REST does with Oauth (which is a big downside of using EWS for a security perspective).

    OAuth authentication for EWS is only available in Exchange as part of Office 365. EWS applications require the "Full access to user's mailbox" permission.

    ref https://msdn.microsoft.com/en-us/library/office/dn903761(v=exchg.150).aspx