Step 2b: Granting delegated permissions
Next, we need to make sure the newly created app has the correct permissions to access user calendars. This page describes the steps required when using delegated permissions.
In the newly created application choose "API permissions".
Click "Add a permission".
Choose "Microsoft Graph" > "Delegated Permissions" > "OpenId permissions" and tick "offline_access".
Also choose "Calendars" and tick "Calendars.ReadWrite".
If you are using the Outlook Categories functionality where each MyTimetable event gets their own colour, also choose "MailboxSettings" and tick "MailboxSettings.ReadWrite". Our support department or you MyTimetable administrator can inform you if this is the case.
Click "Add permissions".
Make sure the default "User.Read" permissions is still listed as well.
This concludes the setup of the application.
You need to make sure user consent to applications is allowed. By default, this is the case, but settings in your Azure AD may differ. Read Configure how end-users consent to applications on the Microsoft documentation site for more information. Possible options are:
User consent is allowed for all applications. This is the default. In the Azure AD portal under "Enterprise applications" > "Consent and permissions" > "User consent settings" the option "Allow user consent for apps" will be checked.
Administrator grants admin consent. This can be done with the button "Grant admin consent" in the "API permissions" dialog above. In this case, users will not be shown a consent prompt when setting up the synchronisation. Users will still have to enable the sync themselves and MyTimetable will not have access to the user's calendars without this interactive step.
A custom app consent policy allows user consent for MyTimetable. This requires creating an app consent policy using Powershell and the instructions at Manage app consent policies. Here you will have to specify PermissionType as 'delegated' and ClientApplicationIds with the application id of the created application. You will then have to allow users to consent to apps in the poilcy using the further instructions on this page.
User consent is allowed for verified apps and apps in the own directory. In the Azure AD portal under "Enterprise applications" > "Consent and permissions" > "User consent settings" the options "Allow user consent for apps from verified publishers" will be checked. In this case, you will need to add the "Calendar.ReadWrite" permission as "low impact" permission in this dialog. Be aware that other applications in your Azure AD or from verified publishers will also be able to request the "Calendar.ReadWrite" permission.
The "Read and write calendars in all mailboxes" application permission is described by Microsoft as "Allows the app to create, read, update, and delete events of all calendars without a signed-in user". Less restrictive scopes that allow MyTimetable to perform the operations required are not available at the moment. MyTimetable only reads, updates and deletes calendar events it has created itself, but this is something that is enforced in the synchronisation backend, not by Office 365. So while MyTimetable does not read, update or delete other calendar events, it does have the permissions to do so.
When using delegated permissions, MyTimetable will only have access to calendars of users that actually activated the sync through MyTimetable themselves.