How-to: Accessing other mailbox calendars with Graph

Accessing calendars with Graph requires some configuration in permissions before the Graph call will work. What is required relates to the type of application and that drives the type of permissions – Delegate or Admin. Below is information to help understand and help setting up the needed permissions.

Starting information:

For Graph to read from a shared mailbox (similar to Outlook delegate access), you need to set permissions in Azure and may also need to set sharing permissions.  If you set Calendars.Read.Shared permissions then the user would need to share their calendar.  If you set Calendars.Read for your application, then it can access all calendars in the org – there is no way to filter the scope.

Microsoft Graph permissions reference
Look under "Microsoft Graph permission names" and "Calendar permissions"

In Azure, set:

Calendars.Read.Shared permissions:  Allows the app to read events in all calendars that the user can access, including delegate and shared calendars. (Delegated permissions)


Calendars.Read:  Allows the app to read events of all calendars without a signed-in user.  (Application Permissions)

It's the same for REST:

Outlook Calendar REST API reference

See "Using the Calendar REST API"

Delegate permissions:

For delegate permissions, three things are needed:

  • Calendar.Read.Shared or Calendar.ReadWrite.Shared in Azure.
  • The user also needs to grant shared permission to the calendar.
  • In the scope of requested permissions in your code, ask for the same permissions you granted in Azure.

Here is how a user can share their calendar for an application using Delegate permissions:

Calendar sharing in Office 365

Share an Outlook calendar with other people

Admin permissions:

For Admin permissions (used by Background services or daemons Applications), Admin consent will need to be granted for Calendar.Read or Calendar.ReadWrite. This will allow the application to access all mailboxes in the organization. These permissions cannot be filtered to anything less than all mailboxes.

Get access without a user

Daemon Applications:

Here is additional information on building a daemon application:

Build service and daemon apps in Office 365

Building Daemon or Service Apps with Office 365 Mail, Calendar, and Contacts APIs (OAuth2 client credential flow)

 Azure-Samples – Active Directory DotNet Daemon V2 


Here are articles to review on Graph/Rest throttling:

Microsoft Graph throttling guidance

Throttling coming to Outlook API and Microsoft Graph

Gotchas – Microsoft Graph/Outlook REST API throttling, best practices


Here is how to list shared mailboxes:

How to get a list of Shared mailboxes and users with permissions to those mailboxes in Exchange Online?

Be sure to also read the following, which covers how the credentials flow:

Azure Active Directory v2.0 and the OAuth 2.0 client credentials flow

Information on permission scopes:

Scopes, permissions, and consent in the Azure Active Directory v2.0 endpoint

Permission scopes | Graph API concepts



Skip to main content