Restrict Azure App Registration Calendar Access Permissions

This document describes how an Azure App Registration with Calendar.Read/Write permissions can be limited to only certain users in a company (Azure Tenant).

Many of the steps are almost exactly the same as on Restrict Azure App Registration E-Mail Permission, so instead of duplicating the entire document contents, focus will be on what’s different.

1. Create E-mail Enabled Security Group

Same as on Restrict Azure App Registration E-Mail Permission page.

It might be counter-intuitive, but it is still a “Mail Enabled Security Group” that should be created - even though calendar has nothing do with E-mail. Using a different group type will not work.

It is suggested to use a different group name, that is more descriptive for this purpose, for example totalviewcalendarsynchronization.

Users or groups added to the group will be those for which calendar synchronization will be enabled.

2. Install Exchange Online Management PowerShell module

Same as on Restrict Azure App Registration E-Mail Permission page.

3. Apply Application Access Policy to Azure App Registration

Same as on Restrict Azure App Registration E-Mail Permission page, except verification step 2, which is not relevant for calendar synchronization.

4. Verification

NB it has been seen that it can take up to an hour before access restrictions are enforced on all user calendars in the E-mail Enabled Security Group.

If access restrictions do not seem to be enforced, try again in an hour or two.

  • Open TotalviewExchange365.exe from <Totalview Installation Folder>\InstallFiles\Exchange365

  • Input credentials in the three first boxes – the E-mail related settings are not relevant and can be left as is.

  • Press “Test Without Totalview”.

  • Type in e-mail address of user which should be allowed to synchronize calendar and press “Get/refresh current user’s appointment list”. In the log window the user’s appointments should be listed.

  • Type in e-mail address of user which should not be allowed to synchronize calendar and press “Get/refresh current user’s appointment list”. In the log window an ErrorAccessDenied error should be logged.