Hi,

I'm currently working on a feature that utilizes the /users/{id|userPrincipalName}/calendar/getSchedule resource of the graph api.

We let our clients enter the SMTP addresses of resources so that we can display their availability and do some recommendations.

The worry is that, although we ask only for the Calendars.Read authorization on the azure app registration, this gives us too broad access to their users calendars.

I have searched around for some solution that would allow our clients to limit the reach of the access they give us. At first, I found that we could set up an ApplicationAccessPolicy. But after testing, we found that it only limited the {id|userPrincipalName} we passed into the request URL, we could still put any address in the body and get the calendars of other users.

I also tried to limit the app to a single (fake) user with the ApplicationAccessPolicy and limit this user to a group of addresses with MailboxFolderPermission, but this also had no impact after testing.

Are you aware of a solution that would guaranty our clients that we had only the access we needed?