The Microsoft 365 Admin account must grant consent for Condeco to use User.Read and Calendars.ReadWrite however, an Application Access Policy can be configured to allow or deny access to specific MS Outlook calendars.
Learn more about configuring an Application Access Policy at Microsoft https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access.
During the onboard process, you are prompted to grant the following access to the Condeco Token Provider application that uses Microsoft Graph:
|User.Read||Sign in and read user profile.||Delegated||Required to as part of the consent flow, to read the Exchange Admin’s identity and tenant information.|
|User.Read.All||Read all users full profile||Application||Required to fetch user’s complete profile (including GUID indentifiers) which can be used while making subscription.|
|Calendars.ReadWrite||Read and write calendars in all mailboxes.||Application||Required to read and update events within users’ calendars.|