This guide provides step-by-step instructions for Microsoft Administrators on how to manage and remove specific calendar permissions from an application through the Microsoft Entra Identity and Access Management platform. Following these steps will ensure that the permission dialog does not prompt end-users for missing permissions.

Navigate to the Entra ID portal and select Applications > Enterprise Applications. Search for Teamflect to proceed.

Click on Permissions for the selected application,

Then click the Grant Admin Consent button. This action grants the application the necessary permissions and prevents end-users from being prompted to grant permissions.

Open Powershell with administrative rights. Before running the script, you will need to modify the specific part of the script where the Service Principal ID is defined. Replace the placeholder GUID with the actual Service Principal ID, which can be found on the Overview page of your application in Entra ID.

Execute the following Powershell (Run as admin) commands to adjust the application's permissions. You need to change the part marked in bold ("07e33804-5840-4473-860e-fedd2a4aa1be") below:

#Connect to Microsoft Graph with the necessary scopes

Connect-MgGraph -Scopes "DelegatedPermissionGrant.ReadWrite.All", "Directory.Read.All"

# Define the Service Principal ID of your application

$servicePrincipalId = "07e33804-5840-4473-860e-fedd2a4aa1be"

# Retrieve all OAuth2 Permission Grants associated with your application's Service Principal

$permissionGrants = Get-MgOauth2PermissionGrant -Filter "clientId eq '$servicePrincipalId'" -All

# Loop through each permission grant

foreach ($grant in $permissionGrants) {

# Split the scopes into an array

$scopes = $grant.Scope -split ' '

# Check if the grant includes Calendars.Read or Calendars.Read.Shared

if ($scopes -contains "Calendars.Read" -or $scopes -contains "Calendars.Read.Shared") {

# If only these scopes are present, remove the entire grant

if ($scopes.Count -eq 1) {

Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $grant.Id

Write-Output "Removed OAuth2PermissionGrant with Id: $($grant.Id)"

} else {

# Otherwise, remove only the specific scopes and update the grant

$newScopes = $scopes | Where-Object { $_ -ne "Calendars.Read" -and $_ -ne "Calendars.Read.Shared" }

$newScopeString = $newScopes -join ' '

Update-MgOauth2PermissionGrant -OAuth2PermissionGrantId $grant.Id -Scope $newScopeString

Write-Output "Updated OAuth2PermissionGrant with Id: $($grant.Id) to scopes: $newScopeString"

}

}

}

# End

The GUID marked in bold (07e33804-5840-4473-860e-fedd2a4aa1be) above can be found by going to the Overview page of the Teamflect app in Entra ID.

After completing the steps, navigate back to the Permissions page of the application. The permissions for Calendar.Read or Calendar.Read.Shared should no longer be listed.

Finally, it's essential to disable the meetings functionality in Teamflect’s Admin Center. This will prevent users from seeing a warning message about the meetings tab on their homepage, as it will no longer be functional.

By following these detailed instructions, Microsoft Administrators can effectively manage and remove specific calendar permissions, ensuring a streamlined and compliant user experience within their applications.

If you have any difficulties along the way, please contact us at [email protected], or reach out to your Customer Success Manager (only in Essential and Professional plans) whose contact info can be found at https://admin.teamflect.com/#/home.