question

KhajamiyaPutnala-6163 avatar image
0 Votes"
KhajamiyaPutnala-6163 asked KhajamiyaPutnala-6163 commented

Graph API - On-Prem Exchange read user calendar fails with 401 Unauthorised

We are having hybrid exchange setup. We are trying to read the user calendar using the Microsoft Graph API and when trying to fetch the user calendar of an on-prem exchange, Graph API returning a 401 Unauthorised error. The same works fine with an Exchange Online user calendar. The application has all necessary permissions (Calendars. Read, Calendars.ReadWrite). We are able to fetch on-prem user calendar by login into Microsoft graph explorer (https://developer.microsoft.com/en-us/graph/graph-explorer) ,but the same not working if we are using Graph API.

Please help us with the resolution.

microsoft-graph-calendarmicrosoft-graph-applications
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Please use https://jwt.ms/ to parse your token and provide a screenshot.

0 Votes 0 ·

Hi CarlZhao,
Thank you for your response. Please find the decoded token.
133790-image.png


0 Votes 0 ·
image.png (73.1 KiB)
CarlZhao-MSFT avatar image CarlZhao-MSFT KhajamiyaPutnala-6163 ·

It looks okay, are you calling the /me endpoint or the /users endpoint?

0 Votes 0 ·
CarlZhao-MSFT avatar image CarlZhao-MSFT KhajamiyaPutnala-6163 ·

@KhajamiyaPutnala-6163 The token you get using the client credential flow can only call the /users/{user id} endpoint. If you want to call the /me endpoint, you need to use the auth code flow to get the token, as I said in the answer.

0 Votes 0 ·

1 Answer

CarlZhao-MSFT avatar image
2 Votes"
CarlZhao-MSFT answered KhajamiyaPutnala-6163 commented

I finally figured out the problem. This is because On-Prem Exchange does not support client credential flow, so you cannot call on-prem user calendar. On-Prem Exchange only supports regular auth code flow that requires user login.



If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 9
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We are generating the token using client credentials flow (https://login.microsoftonline.com/XXX-2787-462c-a2d7-XXX/oauth2/v2.0/token) and then calling the https://graph.microsoft.com/v1.0/users/user@domain.com/calendars to fetch the user calendar.

We are using the app directory id, client id, and the secret to generate the token.

As I mentioned in the ticket description, we have a hybrid exchange setup. We are able to fetch the online exchange user calendar without any issues using the above mechanism. We are having an issue only with the on-prem user calendar.

Note that we have the necessary application permissions for the Graph application created in AD to read the user calendar.

As per your suggestion, in order to use the /me endpoint, we need to use the delegated authentication flow.

0 Votes 0 ·
CarlZhao-MSFT avatar image CarlZhao-MSFT KhajamiyaPutnala-6163 ·

You mean it is not possible to get the on-prem user's calendar through the /users/{user id} endpoint?

0 Votes 0 ·

Ours is a hybrid setup and we have the sync between on-prem and online exchange. We are able to see the user calendars of on-prem from the online exchange user mailbox and vise versa.


We have created the graph application and given the necessary application permissions and trying to read users the calendar.

We are able to fetch the user calendar whose mailbox is on exchange online but if we tried to fetch the user calendar of the user whose mailbox is on on-premise, we are getting the unauthorized response from the graph. Below is the image for your reference. If I try the same request with the user whose mailbox is on an online exchange, I am getting the proper response.
133914-image.png


0 Votes 0 ·
image.png (58.9 KiB)
Show more comments