How to fetch group calendar events using Azure application-only permissions? Error: Access is denied. Check credentials and try again

Question

Summary: I'm trying to fetch group calendar and its events using Azure application-only permissions, but I'm getting an error.

Error Message:

Code:

var graphClient = new GraphServiceClient(authProvider); var events = await graphClient .Groups[groupId] .Calendar .Events .Request() .GetAsync();

• Ensured the application has the required permissions (Calendars.Read, Calendars.ReadWrite, Group.ReadWrite.All) in the Azure portal.
• Verified the client credentials (client ID, tenant ID, client secret) are correct.
• Checked that the application is granted admin consent for the required permissions.

Question: What could be causing the ErrorAccessDenied when trying to fetch the group calendar events with application-only permissions? How can I resolve this issue?

Additional Information:

• The application is registered in Azure AD and has been granted admin consent for the necessary permissions.
• I'm using the Microsoft Graph SDK for .NET.
• The application works correctly for other API calls (e.g., fetching user details).

Any help or pointers would be appreciated!

Answer 1

Note that: Application permissions are not supported to list group calendar events, make use of delegated flow and delegated permissions. Check this MsDoc

I granted Application permissions to the Microsoft Entra ID application as you:

And when I tried to retrieve the Group calendar events using Client credential flow and got the same error:

Hence you need to switch to delegated flow and grant delegated API permissions to get the group calendar events.

To fetch group calendar events grant Group.Read.All delegated API permission:

And switch to any delegated flow/user interactive flow. Refer this MsDoc

For sample, I made use of Authorization code provider like below:

Generate auth code by using below endpoint and sign-in the browser:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://replyUrlNotSet
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345

I am able to fetch group calendar event successfully by using below code:

var scopes = new[] { "https://graph.microsoft.com/.default" };
var tenantId = "TenantID";
var clientId = "ClientID";
var clientSecret = "ClientSecret";
var groupId = "GroupID";
var authorizationCode = "code";

var options = new AuthorizationCodeCredentialOptions
{
    AuthorityHost = AzureAuthorityHosts.AzurePublicCloud,
};

var authCodeCredential = new AuthorizationCodeCredential(tenantId, clientId, clientSecret, authorizationCode, options);

var graphClient = new GraphServiceClient(authCodeCredential, scopes);
try
{
    var result = await graphClient.Groups[groupId].Calendar.Events.GetAsync();
    if (result != null && result.Value != null)
    {
        Console.WriteLine("Calendar Events Retrieved:");
        foreach (var eventItem in result.Value)
        {
            Console.WriteLine($"Event: {eventItem.Subject}");
        }
    }
    else
    {
        Console.WriteLine("No events found.");
    }
}
catch (ODataError odataError)
{
    Console.WriteLine($"Error Code: {odataError.Error.Code}");
    throw;
}