I have a demo integration running from ServiceNow to Office 365, everything was working fine last time I checked (it was a couple days ago). I have set it up in two ways (using two Auth flows):
Authorization Code - this still works fine.
Client Credentials - this is giving me an error now when I try to access any calendar. The App is registered, the permissions are there:
When trying to run the getSchedule API, I get the below response:
"error": {
"code": "ErrorAccessDenied",
"message": "Access to OData is disabled.",
"innerError": {
"request-id": "e14a6800-ed63-4692-9934-cc0ec009d93b",
"date": "2020-03-16T14:43:34"
}
}
I checked everywhere I could. The Access token is generated. It is definitely something to do with the Graph API for the calendar.
I have a demo integration running from ServiceNow to Office 365, everything was working fine last time I checked (it was a couple days ago). I have set it up in two ways (using two Auth flows):
Authorization Code - this still works fine.
Client Credentials - this is giving me an error now when I try to access any calendar. The App is registered, the permissions are there:
When trying to run the getSchedule API, I get the below response:
"error": {
"code": "ErrorAccessDenied",
"message": "Access to OData is disabled.",
"innerError": {
"request-id": "e14a6800-ed63-4692-9934-cc0ec009d93b",
"date": "2020-03-16T14:43:34"
}
}
I checked everywhere I could. The Access token is generated. It is definitely something to do with the Graph API for the calendar.
Share Improve this question edited Sep 30, 2021 at 20:54 TylerH 21.1k78 gold badges79 silver badges114 bronze badges asked Mar 16, 2020 at 15:04 TomaszSTomaszS 2031 gold badge2 silver badges8 bronze badges1 Answer
Reset to default 4The problem was with the Application Access Policy.
Basically, if you use Application Permissions within OAuth for Microsoft 365, you can further narrow down the permissions using the below instructions: https://learn.microsoft./en-us/graph/auth-limit-mailbox-access
Microsoft Graph application permissions (you may not need all of them):
- Mail.Read
- Mail.ReadBasic
- Mail.ReadBasic.All
- Mail.ReadWrite
- Mail.Send
- MailboxSettings.Read
- MailboxSettings.ReadWrite
- Calendars.Read
- Calendars.ReadWrite
- Contacts.Read
- Contacts.ReadWrite
For more information about configuring application access policy, see the PowerShell cmdlet reference for
New-ApplicationAccessPolicy.Handling API errors
You might encounter the following error when an API call is denied access due to a configured application access policy.
{ "error": { "code": "ErrorAccessDenied", "message": "Access to OData is disabled.", "innerError": { "request-id": "<request GUID is here>", "date": "<UTC date format here>" } }If the Microsoft Graph API calls from your app return this error, work with the Exchange Online administrator for the organization to ensure that your app has permission to access the mailbox resource.
It appears in our case one of the policies was not removed/updated properly. After we removed all policies related to this integration, it started working again.