我正在开发一个应用程序来通过 Microsoft Graph 管理房间预订.最后，应用需要读取和取消预定到某个房间资源帐户的会议.

I am developing an app to manage room bookings via Microsoft Graph. In the end, the app needs to read and cancel meetings that are booked into a certain room resource account.

不幸的是，只有 Calendars.ReadWrite 权限授予应用读取和写入租户中每个用户日历的权​​限，包括私人约会.

Unfortunately, there is only the permission Calendars.ReadWrite which gives the app permissions to read and write every users calendar in the tenant, including private appointments.

我没有发现任何限制权限或更细化的可能性.

I have not found any possibility to restrict the permissions or specify them more granular.

有谁知道如何处理这个问题?(或者我是否必须再次退回到服务帐户和旧的 Exchange Web 服务，在那里我可以为该服务帐户授予细化权限?)

Does anyone know how to deal with this? (Or do I have to fall back again to service accounts and the old exchange web services, where I can give granular permissions to that service account?)

提前非常感谢！

推荐答案

应用程序权限意味着该范围的全部权限级别，参考 这里.如果您要确定此特定邮箱/日历的范围，则可以将委派权限与对这些资源具有委派权限的功能帐户一起使用.我们以前必须这样做.这很糟糕，但这就是 App Permissions 与 Delegate 的本质.

Application permissions imply the full the level of privileges of that scope, referenced here. If you are scoping this specific mailboxes/calendars, you use delegated permissions with a functional account that has delegated permissions on those resources. We've had to do that before. It sucks, but that is the nature of App Permissions versus Delegate.

如果您正在尝试编写脚本，您可以尝试使用client_secret_post".提到的令牌获取的身份验证方法 这里 和 OpenID Connect规范 和 OAuth 2.0 规范.

If you have are trying to script this, you could try the "client_secret_post" authentication method for the token acquisition mentioned here and in more detail with the OpenID Connect Spec and the OAuth 2.0 Spec.