Better way to access Outlook Calendar without UI in a background application - microsoft-graph-api

Scenarios for accessing the Calendar usually involve the user signing in and granting consent to give delegated permissions. This seems to apply to both Office 365 and Graph APIs.
I have seen solutions here for accessing Calendar without UI, but it involves storing the username and password which is less than desired. The other option is using the Graph API with application permission - unfortunately, the Calendars.ReadWrite permission is for all users: "Read and write calendars in all mailboxes". It's unlikely I can get this access granted by an admin as I work in a large company, not to mention I simply don't need that much access.
So my question is, is there any way to get application permission (or any other way to access outlook calendar without UI) for only a handful of users?

You can use scoping https://github.com/microsoftgraph/microsoft-graph-docs/blob/master/concepts/auth-limit-mailbox-access.md which allows application permissions to be limited to a subset of user. What type of application are you actually trying to create ? Something like getSchedule https://learn.microsoft.com/en-us/graph/api/calendar-getschedule?view=graph-rest-1.0&tabs=http can be used by the logged on user to query another users FreeBusy permission and retrieve a limited subset of information about appointments eg Start,End,Subject,location which is often ample for a lot of calendar applications.

Related

To read another users mailboxsettings with MSGraph does the application really need application level permissions?

I am trying to read a person's Out of Office text with MSGraph. I understand the only way to do this is by getting the person's mailbox settings as indicated here.
Is there another way to read a person's Out of Office Message?
Assuming there is no other way I then have read for example in this link that to call GET /users/{id|userPrincipalName}/mailboxSettings you need to have Application Permissions for MailboxSettings.Read, MailboxSettings.ReadWrite. Is this still the case? It does not make sense to me that you need Application level permissions. Is there not a delegated (admin consent required) MailboxSettings.Read.All??? The problem is that most IT departments will be hesitant (or pigs are going to fly before some IT departments) give an application this permission to run without a signed in user.
Alternatively, I see that there is a User property of mailboxsettings, thus using the $select query parameter you can call this https://graph.microsoft.com/v1.0/users/{id}?$select=mailboxSettings does or should this work with the User.Read.All.
UPDATE in accordance with the suggestion below I have added 2 suggestions to the MSGraph user voice.
A person's out of office information should be included with their calendar / freebusy (getschedule) information.
There should be a Mailboxsettings.Read.All permission.
Please click on the link and vote them up if you agree.
No, there is no MailboxSettings.Read.All or MailboxSettings.Read.Shared. You can see the list at https://learn.microsoft.com/graph/permissions-reference#mail-permissions. I encourage you to request this as a feature at https://microsoftgraph.uservoice.com.
One possible approach given the currently available permissions around this API is to use app permissions and configure an app access policy to limit the mailboxes it can access - if that's the concern you're mentioning. I'm not clear on why it would be preferable to give a user account access to this info for all mailboxes in an org but not an app service principal.
It isn't included as part of User.Read.All by design. It's not really a property on the user, it's config stored in the mailbox. It's abstracted as a property in Graph, but it requires additional permissions to access.

Microsoft Graph API - how to grant access for my inbox via API to specific user(s)

I have a question about handling permission grants of inboxes via Microsoft Graph API.
Is it possible via Microsoft Graph API to grant another user the access permission to my inbox messages?
I dont found any suitable operation until now.
Retrieving relased mailboxes from another user works fine, but how to make my own inbox visible to specific user that he has the grant to access my inbox?
I dont found a operation under:
https://graph.microsoft.com/v1.0/users.....
or https://graph.microsoft.com/v1.0/me.......
Thanks for your help
According to the documentation, you'll need delegated access.
If the app has the appropriate delegated permissions from one user, and another user has shared a mail folder with that user, or, has given delegated access to that user.
At this moment you have no way to share your mailbox by using the api. If you however shared your mailbox with some other user, they will be able to access it.
I think it's a good thing that you cannot share your mailbox from an app, because it would be easy to compromise a mailbox of some user by a malicious app. If you really want you might be able to share the users mailbox by using EWS (that is the same connection the Outlook app uses).

Restrict Microsoft Graph Service Account / Client Credentials

I'm developing an application on Microsoft Graph that runs as a daemon, and needs access to many accounts. As a result, I'm using a service account, also known as client credentials (using this method).
I can request the proper scope (calendars.readwrite) however as far as I can see, I cannot restrict to which calendars I have access. In my case, I only need access to the meetingroom calendars, and I'm afraid that organisations will not allow my application if I can also read and write from/to the CEO's calendar.
Is there any way (either while creating the app, or during/after giving admin consent) to restrict my app to only a subset of calendars? Or should I approach this problem differently and (e.g.) not use a service account in the first place?

Is there an iCloud web api?

I'd like to be able to access a user's iCal and create events from my server, is this possible, preferably with some kind of OAuth2 setup like with Google Calendar? If so where can I find documentation on the API?
Unfortunately no. There is currently no OAuth whatsoever for iCloud. However, there are two solutions to consider:
Ask the user for their AppleID and password and store it on your server (not recommended for security reasons). This will allow access to EVERYTHING the user has enabled on their account; even the ability to log in and purchase content - thus the security issue. But it will give you direct access to iCal.
Ask the user for access to calendar through your app. Using EKEventStore requestAccessToEntityType: method you can gain access to the users local calendar. You could batch those events and send them to your server. You can find information on how to access calendar here.
It is possible. iCloud supports CalDAV on caldav.icloud.com, and that quite well. It allows you to create, modify and delete events and tasks. Unfortunately you have to have the user's credentials for this though.

Embedding an interactive google calendar in website for multiple groups of users

I am thinking to embed google calendar in my website to achieve the following and was wondering if this is doable in google calendar. Otherwise I have to go find another solution.
I have groups of users with one super user, and rest are regular users as follows:
GroupA
Super User 1
Regular User 1
Regular user 2
etc
Group B
Super User 2
Regular User 3
Regular User 4
etc
Each group have their own calendar. Users in each group can not see the other group's calendar. Only able to see their own group's calendar.
Super users of each group have all access to the calendar (add, modify, delete) and have the ability to control how much access regular users have in their group. (read only? read/write etc)
All users are registered to my website, therefore I am thinking to use only one google calendar account (my own account) to create a calendar for each group. Which leads to a question of authenticating my website to google's API. I need the authentication process to be automatic, hidden away from the user and be done on the server side.
My site is built using PHP/Mysql
Q1:
I have tried the Javascript client library provided by google, however it require the user to type in username/password to log into google so that the authentication (OAuth2) process can work. As mentioned in previous paragraph, I only want the user's to log into my website, they do not need to login again into google account. This should be done on serverside.
I even went as far to create a login form with information prepopulated (hidden from the user, the username/password will be visible in "view page source") and send the request to https://accounts.google.com/ServiceLoginAuth, and make the form automatic submit once the user successfully login into my website. However this causes cross domain issues.
Q2:
I may potentially have 10's of thousands of groups registered on my website. each group may have couple hundred users. Can one single google account create that many calendars?
Q3:
Once the calendar is embedded into my website, it seems to be read-only. Is it possible to make it interactive so super users in each group can add/delete/modify events?
Any ideas/suggestions is much appreciated.
Thank you
No answers? It seems like your question is straightforward. If I understand correctly, you want to access calendars from several Google accounts/users. Each user needs to authorize this access, but they only need to do so once. You could generate these requests and send them out via email, for example. When the user grants permission, Google forwards a grant code to your specified callback_uri. The grant code is extremely volatile. It's used to request a token from Google that apparently lasts indefinitely. So there's no requirement that users continually log into Google.
In Google's calendar/simple.php example. The token is stored as a SESSION variable. Even though the token is persistent, the SESSION variable is not. Users have to grant authorization every time the SESSION variable expires. Storing persistent data in a volatile variable is absurd and probably gives the wrong impression about the OAuth2 token mechanism.
I spent a lot of time writing documentation that I couldn't find anywhere else. Please take a look if you think it might help: http://www.tqis.com/eloquency/googlecalendar.htm
What you're asking isn't possible in Google Calendar.
If you're looking to support thousands of groups and each group needs it's own calendar, then you're saying that you'd need thousands of calendars with access control and you'd need authentication to the calendar to be transparent.

Resources