Which Graph scopes does Cronofy utilize?

Cronofy utilizes Microsoft’s Graph API to access Exchange and Office365 data about Users, Organizations, Resources and their Calendar data.

When a user is authenticating themselves via Individual Connect, Cronofy requests access to their profile and their calendar.

When using Enterprise Connect to connect your organization, Cronofy requests access to list users & resources, organization information, and calendars. This is done via the Cronofy Enterprise for Office 365 application.

Individual Connect #

Cronofy requests the following scopes from individuals when connecting via the Cronofy for Office 365 application (Application ID f573e3d3-ea9c-4d8d-9d8f-20107b8cedbd) for Individual Connect.

Application Scopes

User.Read

Calendars.ReadWrite

Enterprise Connect #

Cronofy requests the following scopes when connecting via the Cronofy Enterprise for Office 365 application (Application ID 10bb7e5b-b80b-4e6e-a209-f78581dbc79e) for Enterprise Connect.

Application Scopes: User.Read.All; Organization.Read.All; Place.Read.All; Calendars.ReadWrite
Delegate Scopes: openid; email

Scopes

User.Read #

Microsoft API doc

Individual Connect requires User.Read to be able to access profile information, such as the user’s email and name, which is needed to allow Cronofy to act on behalf of the user.

User.Read.All #

Microsoft API doc

Enterprise Connect requires User.Read.All to be able to access profile information, such as the user’s email and name, which is needed to allow Cronofy to act on behalf of the users in the organization.

Organization.Read.All #

Microsoft API doc

Cronofy requires Organization.Read.All to identify the domains used by the organization when connecting via Graph Enterprise Connect.

We also make use of the ID field which allows us to able to uniquely identify the tenant within Graph.

Why not User.ReadBasic.All?

User.ReadBasic.All does not return certain fields that are required for Cronofy to sync account details.

Notably we have found preferredLanguage, userType, and accountEnabled fields are omitted from the user object.

We have also found that we are unable to query against a users proxyAddresses (email aliases), which is used in account resolution.

Place.Read.All #

Microsoft API doc

Cronofy requires Places.Read.All to view conference rooms and room lists when creating and reading calendar events.

Calendars.ReadWrite #

Microsoft API doc

Cronofy requires Calendars.ReadWrite to create, read, update, and delete events in user and room calendars.

Why can’t I sync only Free/Busy information?

Unlike Exchange Web Services, there is no Graph API scope that permits only Free/Busy access to a calendar. Until Microsoft add a scope for this more restrictive level of access, the least powerful scope we can request is Calendars.ReadWrite.

We take data management and compliance very seriously to ensure that Cronofy can be trusted to handle data appropriately; you can learn more about this in Cronofy’s Privacy hub

openid #

Microsoft API doc

Cronofy uses the openid scope to verify the account of the person completing the authorization.

email #

Microsoft API doc

Cronofy uses the email scope to identify the user who is completing the Enterprise Connect authorization flow.

Why are these scopes required? #

At present, there is no less permissive scope available for us to access the required profile and organization data to act on behalf of user’s to interact with their calendars via Graph.

However, Microsoft does periodically introduce new scopes. When this happens, we review and potentially look to migrate to the new scopes as appropriate. Cronofy aims to request the least permissive scopes that we require.

You may limit which users’ data Cronofy is able to access by following the Enterprise Connect guide.

Which Graph scopes does Cronofy utilize?

Individual Connect #

Enterprise Connect #

Scopes

User.Read #

User.Read.All #

Organization.Read.All #

Place.Read.All #

Calendars.ReadWrite #

openid #

email #

Why are these scopes required? #

Further reading #