๐ฆ Title
401 Unauthorized when calling Microsoft Graph Calendar API (App-only flow) even with correct permissions in token
๐ฉ Body
Iโm trying to fetch calendar events using the App-only (client credentials) flow with Microsoft Graph API. The token is issued successfully, but every request to /users/{id}/calendar/events or /users/{id}/events returns 401 Unauthorized.
๐น Token details (decoded via jwt.ms)
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/950a4376-c358-4553-980a-9ba773e48dff/",
"iat": 1761310165,
"nbf": 1761310165,
"exp": 1761314065,
"aio": "k2JgYIg/4yn16NcS5/v1616vPJgaDQA=",
"app_displayname": "Multi tenant app",
"appid": "1409b9f1-217e-49ad-8180-898d1e0dfddf",
"appidacr": "1",
"idtyp": "app",
"roles": [
"User.ReadBasic.All",
"User.ReadWrite.All",
"Application.ReadWrite.OwnedBy",
"Calendars.Read",
"Application.ReadWrite.All",
"Application.ReadUpdate.All",
"User.Read.All",
"Calendars.ReadBasic.All",
"Calendars.ReadWrite",
"Application.Read.All"
],
"tid": "950a4376-c358-4553-980a-9ba773e48dff",
"ver": "1.0"
}
๐น Request Example
GET https://graph.microsoft.com/v1.0/users/{user_id}/calendar/events
Authorization: Bearer {access_token}
Content-Type: application/json
Response:
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure. Invalid audience or permissions."
}
}
๐น What Iโve Verified
โ
Token audience (aud) = https://graph.microsoft.com โ
Token contains Calendars.ReadWrite and User.Read.All roles โ
Admin consent granted in Azure Portal โ
Token issued via client credentials flow:
POST https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
grant_type=client_credentials
client_id={client_id}
client_secret={client_secret}
scope=https://graph.microsoft.com/.default
โ
App is multi-tenant and consented for Application permissions
๐น The Problem
Despite the correct roles and consent, every request to read or write calendar data results in:
401 Unauthorized
InvalidAuthenticationToken
๐น Questions
Is there any additional Exchange Online or M365 mailbox configuration needed for App-only access to calendars?
Are there differences between delegated (Calendars.ReadWrite) and application (Calendars.ReadWrite) permissions that could cause this?
How can I verify that the service principal has mailbox access for the target user?
Does app-only access require Exchange Online full mailbox delegation for each user?
๐งฉ Environment
Flow: App-only (client credentials)
API version: v1.0
Tenant ID: 950a4376-c358-4553-980a-9ba773e48dff
App ID: 1409b9f1-217e-49ad-8180-898d1e0dfddf
Graph permissions (Application): Calendars.Read, Calendars.ReadWrite, User.Read.All, User.ReadWrite.All
๐จ Goal
Fetch and sync calendar events for organization users using App-only flow (no user login). Looking for clarification why this fails with 401 even though the token includes valid Calendars.ReadWrite roles and audience is correct.
๐ฆ Title
401 Unauthorized when calling Microsoft Graph Calendar API (App-only flow) even with correct permissions in token
๐ฉ Body
Iโm trying to fetch calendar events using the App-only (client credentials) flow with Microsoft Graph API.
The token is issued successfully, but every request to /users/{id}/calendar/events or /users/{id}/events returns 401 Unauthorized.
๐น Token details (decoded via jwt.ms)
{
๐น Request Example
GET https://graph.microsoft.com/v1.0/users/{user_id}/calendar/events
Authorization: Bearer {access_token}
Content-Type: application/json
Response:
{
๐น What Iโve Verified
โ
Token audience (aud) = https://graph.microsoft.com
โ
Token contains Calendars.ReadWrite and User.Read.All roles
โ
Admin consent granted in Azure Portal
โ
Token issued via client credentials flow:
POST https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
grant_type=client_credentials
client_id={client_id}
client_secret={client_secret}
scope=https://graph.microsoft.com/.default
โ
App is multi-tenant and consented for Application permissions
๐น The Problem
Despite the correct roles and consent, every request to read or write calendar data results in:
401 Unauthorized
InvalidAuthenticationToken
๐น Questions
Is there any additional Exchange Online or M365 mailbox configuration needed for App-only access to calendars?
Are there differences between delegated (Calendars.ReadWrite) and application (Calendars.ReadWrite) permissions that could cause this?
How can I verify that the service principal has mailbox access for the target user?
Does app-only access require Exchange Online full mailbox delegation for each user?
๐งฉ Environment
Flow: App-only (client credentials)
API version: v1.0
Tenant ID: 950a4376-c358-4553-980a-9ba773e48dff
App ID: 1409b9f1-217e-49ad-8180-898d1e0dfddf
Graph permissions (Application):
Calendars.Read, Calendars.ReadWrite, User.Read.All, User.ReadWrite.All
๐จ Goal
Fetch and sync calendar events for organization users using App-only flow (no user login).
Looking for clarification why this fails with 401 even though the token includes valid Calendars.ReadWrite roles and audience is correct.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 61%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 24%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIK%3C/text%3E%3C/svg%3E)