Introduction
This guide provides step-by-step instructions for Microsoft Administrators on how to manage and remove specific calendar permissions from an application through the Microsoft Entra Identity and Access Management platform. Following these steps will ensure that the permission dialog does not prompt end-users for missing permissions.
Prerequisites
You must have administrative access to Microsoft Entra ID.
Ensure you have Powershell installed and are able to run it as an administrator.
Steps
1. Locate the Application
Navigate to the Entra ID portal and select Applications > Enterprise Applications. Search for Teamflect to proceed.
2. Manage Permissions
Click on Permissions for the selected application,
Then click the Grant Admin Consent button. This action grants the application the necessary permissions and prevents end-users from being prompted to grant permissions.
3. Prepare to Use Powershell
Open Powershell with administrative rights. Before running the script, you will need to modify the specific part of the script where the Service Principal ID is defined. Replace the placeholder GUID with the actual Service Principal ID, which can be found on the Overview page of your application in Entra ID.
4. Run the Powershell Script
Execute the following Powershell (Run as admin) commands to adjust the application's permissions. You need to change the part marked in bold ("07e33804-5840-4473-860e-fedd2a4aa1be") below:
#Connect to Microsoft Graph with the necessary scopes
Connect-MgGraph -Scopes "DelegatedPermissionGrant.ReadWrite.All", "Directory.Read.All"
# Define the Service Principal ID of your application
$servicePrincipalId = "07e33804-5840-4473-860e-fedd2a4aa1be"
# Retrieve all OAuth2 Permission Grants associated with your application's Service Principal
$permissionGrants = Get-MgOauth2PermissionGrant -Filter "clientId eq '$servicePrincipalId'" -All
# Loop through each permission grant
foreach ($grant in $permissionGrants) {
# Split the scopes into an array
$scopes = $grant.Scope -split ' '
# Check if the grant includes Calendars.Read or Calendars.Read.Shared
if ($scopes -contains "Calendars.Read" -or $scopes -contains "Calendars.Read.Shared") {
# If only these scopes are present, remove the entire grant
if ($scopes.Count -eq 1) {
Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $grant.Id
Write-Output "Removed OAuth2PermissionGrant with Id: $($grant.Id)"
} else {
# Otherwise, remove only the specific scopes and update the grant
$newScopes = $scopes | Where-Object { $_ -ne "Calendars.Read" -and $_ -ne "Calendars.Read.Shared" }
$newScopeString = $newScopes -join ' '
Update-MgOauth2PermissionGrant -OAuth2PermissionGrantId $grant.Id -Scope $newScopeString
Write-Output "Updated OAuth2PermissionGrant with Id: $($grant.Id) to scopes: $newScopeString"
}
}
}
# End
The GUID marked in bold (07e33804-5840-4473-860e-fedd2a4aa1be) above can be found by going to the Overview page of the Teamflect app in Entra ID.
5. Verify Changes
After completing the steps, navigate back to the Permissions page of the application. The permissions for Calendar.Read or Calendar.Read.Shared should no longer be listed.
6. Disable the Meetings Functionality
Finally, it's essential to disable the meetings functionality in Teamflect’s Admin Center. This will prevent users from seeing a warning message about the meetings tab on their homepage, as it will no longer be functional.
By following these detailed instructions, Microsoft Administrators can effectively manage and remove specific calendar permissions, ensuring a streamlined and compliant user experience within their applications.
Need help?
If you have any difficulties along the way, please contact us at [email protected], or reach out to your Customer Success Manager (only in Essential and Professional plans) whose contact info can be found at https://admin.teamflect.com/#/home.