Next, we need to make sure the newly created app has the correct permissions to access user calendars. This page describes the steps required when using application permissions.
- In the newly created application choose "API permissions".
- Click "Add a permission".
- Choose "Microsoft Graph" > "Application Permissions" > "Calendars" and tick "Calendars.ReadWrite".
- Click "Add permissions".
- Click "Select"
- Click "Done"
- Click the "Grant admin consent" button and confirm using "Yes"
- This concludes the application setup.
The "Read and write calendars in all mailboxes" application permission is described by Microsoft as "Allows the app to create, read, update, and delete events of all calendars without a signed-in user". Less restrictive scopes that allow MyTimetable to perform the operations required are not available at the moment. MyTimetable only reads, updates and deletes calendar events it has created itself, but this is something that is enforced in the synchronisation backend, not by Office 365. So while MyTimetable does not read, update or delete other calendar events, it does have the permissions to do so.
When using application-level permissions, this permission can optionally be scoped to specific mailboxes by following the instructions at Scoping application permissions to specific Exchange Online mailboxes.