Search code examples
node.jsazure-active-directorymicrosoft-graph-apiazure-ad-msal

Trying to write a calendar event using Microsoft Graph API issue

I'm trying to use the Microsoft Graph API to write calendar events within my company. First of all let me give you a little bit of context.

I'm building a node API that uses Microsoft Graph to write calendar events, so I configured my application inside the Azure Active Directory with the following application permission

permissions

I granted administrator consent as you can see from the picture.

I was also able to get the access token using msal-node

  const graphToken = async () => {
  const azureConfig = {
    auth: {
      clientId: process.env.CLIENT_ID,
      authority: `https://login.microsoftonline.com/${process.env.TENANT_ID}`,
      clientSecret: process.env.CLIENT_SECRET,
    },
  }

  const tokenRequest = {
    scopes: [process.env.GRAPH_ENDPOINT + '/.default'],
  }

  const cca = new msal.ConfidentialClientApplication(azureConfig)
  const authRespose = await cca.acquireTokenByClientCredential(tokenRequest)

  if (authRespose) {
    return authRespose.accessToken
  }

  return null
}

The only thing that sounds me a little odd, is the scope set to [process.env.GRAPH_ENDPOINT + '/.default'] I tried to change it ex. [process.env.GRAPH_ENDPOINT + '/Calendar.ReadWrite'] but it fires an excepion.

The next thing I'm able to do is retrive all calendars a user have right to write to, using the following Graph endpoint: https://graph.microsoft.com/v1.0/users/[email protected]/calendars

Now the issue, when I try to do a POST request to write a calendar event for example

POST https://graph.microsoft.com/v1.0/users/{userId}/calendars/{calendarId}/events
{
    "subject": "Test",
    "body": {
      "contentType": "HTML",
      "content": "Test"
    },
    "start": {
      "dateTime": "2022-11-09T16:00:00",
      "timeZone": "Europe/Rome"
    },
    "end": {
      "dateTime": "2022-11-09T17:00:00",
      "timeZone": "Europe/Rome"
    }
}

Note that calendarId is one of the id's from the previous call (Not the default calendar of userId)

I got a 403 Forbidden with the following response

{
    "error": {
        "code": "ErrorAccessDenied",
        "message": "Access is denied. Check credentials and try again."
    }
}

I also decoded my token to see if I get some info on the root cause of the 403 error, I found this:

...
"roles": [
    "Calendars.Read",
    "User.Read.All",
    "Calendars.ReadWrite"
  ],
...

It seems correct to me.

I don't get if it is a scope issue, an authentication issue or something I'm missing, can someone pinpoint me in the right direction?

Thanks in advance

Solution

  • Basically it was my fault.

    I messed up with calendar permissions and my test user had a reviewer permission instead of an author one on the calendar I had to write to

    once I was able to identify this issue and change the permission the call response was what expected.

    I leave this answer as a reference for anyone that encounter this issue

    Thanks anyway