Why do we need daemon applications?
Microsoft Microsoft 365 APIs utilize OAuth2 authorization. As part of the OAuth2 flow, an access token and refresh token is provided. These tokens are provided to the daemon applications (Token Provider and Notification) so that they can continue accessing the required data in the background.
What is Azure AD application registration?
To access the required user information in Microsoft 365, applications must register against Azure AD to get an Application ID. This Application ID is then used by the Token Provider and Notification daemon applications.
Why do we need full mailbox permissions?
The service account used to access the Exchange Web Service (EWS) is an account that can be given impersonation rights. However, with Microsoft 365 APIs and OAuth2, there is no concept of impersonation rights as the authentication works on application tokens. This means that to create the necessary appointments in the calendars, the daemon applications require full mailbox permissions.
If the daemon applications have full access to all calendars, does it then access users’ calendars?
No, currently on Microsoft 365, there is no differentiation between room calendars and user calendars, however, the daemon applications only subscribe to room calendars so are not aware of the users’ calendars.
Can an Azure AD administrator create a security group and add all the required rooms so that permission on all calendars in a tenant is not required?
Yes, by applying an Application Access Policy. An Application Access Policy can either restrict or deny Graph API access to members of a mail-enabled security group. Visit Control access to calendars to learn more.
Why is Exchange Web Service (EWS) still required now Microsoft 365 APIs are being used?
Microsoft 365 APIs are being used only for notifications. All other actions are being done using EWS.
How can access to the daemon applications be revoked?
An Azure AD administrator can revoke application permissions from the client’s Azure Management Portal.
Is there any throttling policy set by Microsoft when using Microsoft 365 APIs or EWS?
There are no clear guidelines from Microsoft on this however this could affect the performance of the system.