Which Graph scopes does Cronofy utilize?

Cronofy utilizes Microsoft’s Graph API to access Exchange and Office365 data about Users, Organizations, Resources and their Calendar data.

When a user is authenticating themselves via Individual Connect, Cronofy requests access to their profile and their calendar.

When using Enterprise Connect to connect your organization, Cronofy requests access to list users & resources, organization information, and calendars.

Individual Connect #

Cronofy requests the following scopes from individuals when connecting via Individal Connect:

  • User.Read
  • Calendars.ReadWrite

User.Read #

Cronofy requires User.Read to be able to access profile information, such as the user’s email and name, which is needed to allow Cronofy to act on behalf of the user.

Calendars.ReadWrite #

Cronofy requires Calendars.ReadWrite to create, read, update, and delete events in user calendars.

Enterprise Connect #

Cronofy requests the following scopes when connecting via Enterprise Connect:

  • User.Read.All
  • Organization.Read.All
  • Places.Read.All
  • Calendars.ReadWrite

User.Read.All #

Cronofy requires User.Read.All to be able to access profile information, such as the user’s email and name, which is needed to allow Cronofy to act on behalf of the users in the organization.

Organization.Read.All #

Cronofy requires Organization.Read.All to identify the domains used by the organization when connecting via Graph Enterprise Connect.

We also make use of the ID field which allows us to able to uniquely identify the tenant within Graph.

Places.Read.All #

Cronofy requires Places.Read.All to view conference rooms and room lists when creating and reading calendar events.

Calendars.ReadWrite #

Cronofy requires Calendars.ReadWrite to create, read, update, and delete events in user and room calendars.

Why are these scopes required? #

At present, there is no less permissive scope available for us to access the required profile and organization data to act on behalf of user’s to interact with their calendars via Graph.

However, Microsoft does periodically introduce new scopes. If this were to happen we would review and potentially look to migrate to the new variants as Cronofy aims to request the least permissive scopes that we require.

You may limit which users’ data Cronofy is able to access by following this guide.

Further reading #

Further information about the above listed scopes can be found at Microsoft Graph permissions reference