This guide explains how to remove delegated Microsoft Graph permissions (such as Calendars.Read) from the Teamflect Enterprise Application in Microsoft Entra ID.
Removing these permissions will eliminate tenant-wide calendar access. Depending on your configuration, this can either:
Fully disable calendar integration, or
Allow users to individually grant calendar access via consent prompts
Please review the scenarios below before proceeding.
Important: Understand the Two Possible Outcomes
Microsoft Entra ID supports two delegated permission models:
Model 1 – Tenant-wide admin consent
If admin consent is granted at the tenant level, all users are pre-approved and no consent prompt appears.
Model 2 – Per-user consent
If tenant-wide consent is removed, users may be prompted individually to grant permission (depending on your tenant’s user consent policy).
Microsoft does not support a configuration where tenant-wide consent is granted and users can opt out individually.
When Should You Remove Calendars.Read?
You should remove calendar permissions if:
Your organization does not want Teamflect accessing user calendars at all
You want to move from tenant-wide consent to per-user consent
You are tightening delegated permission governance
Step-by-Step: Remove Calendar Permissions
Before you start:
You must have administrative access to Microsoft Entra ID.
Ensure you have PowerShell installed and can run it as an administrator.
1. Locate the Application
Navigate to the Entra ID portal and select Applications > Enterprise Applications. Search for Teamflect to proceed.
2. Manage Permissions
Click on Permissions for the selected application,
Then click the Grant Admin Consent button. This action grants the application the necessary permissions and prevents end-users from being prompted to grant permissions.
3. Prepare to Use PowerShell
Open PowerShell with administrative rights. Before running the script, you will need to modify the specific part of the script where the Service Principal ID is defined. Replace the placeholder GUID with the actual Service Principal ID, which can be found on the Overview page of your application in Entra ID.
4. Run the PowerShell script
Execute the following PowerShell (Run as admin) commands to adjust the application's permissions. You need to change the part marked in bold ("07e33804-5840-4473-860e-fedd2a4aa1be") below:
#Connect to Microsoft Graph with the necessary scopes
Connect-MgGraph -Scopes "DelegatedPermissionGrant.ReadWrite.All", "Directory.Read.All"
# Define the Service Principal ID of your application
$servicePrincipalId = "07e33804-5840-4473-860e-fedd2a4aa1be"
# Retrieve all OAuth2 Permission Grants associated with your application's Service Principal
$permissionGrants = Get-MgOauth2PermissionGrant -Filter "clientId eq '$servicePrincipalId'" -All
# Loop through each permission grant
foreach ($grant in $permissionGrants) {
# Split the scopes into an array
$scopes = $grant.Scope -split ' '
# Check if the grant includes Calendars.Read or Calendars.Read.Shared
if ($scopes -contains "Calendars.Read" -or $scopes -contains "Calendars.Read.Shared") {
# If only these scopes are present, remove the entire grant
if ($scopes.Count -eq 1) {
Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $grant.Id
Write-Output "Removed OAuth2PermissionGrant with Id: $($grant.Id)"
} else {
# Otherwise, remove only the specific scopes and update the grant
$newScopes = $scopes | Where-Object { $_ -ne "Calendars.Read" -and $_ -ne "Calendars.Read.Shared" }
$newScopeString = $newScopes -join ' '
Update-MgOauth2PermissionGrant -OAuth2PermissionGrantId $grant.Id -Scope $newScopeString
Write-Output "Updated OAuth2PermissionGrant with Id: $($grant.Id) to scopes: $newScopeString"
}
}
}
# End
The GUID marked in bold (07e33804-5840-4473-860e-fedd2a4aa1be) above can be found by going to the Overview page of the Teamflect app in Entra ID.
5. Verify Changes
After completing the steps, navigate back to the Permissions page of the application. The permissions for Calendar.Read or Calendar.Read.Shared should no longer be listed.
What Happens After Removal?
After removing the tenant-wide grant:
Scenario A – You Want to Disable Meetings Completely
Disable the Meetings module in Teamflect Admin Center.
Users will no longer have calendar integration.
Scenario B – You Want Users to Grant Access Individually
Ensure User Consent is enabled in your Entra ID tenant.
Users will see a one-time consent prompt when accessing the Meetings module.
Only users who approve will grant calendar access without depending on MS admin approval.
How Users Can Grant Calendar Access After Tenant-Wide Consent Is Removed 👇
Important Notes
Removing the tenant-wide grant does not automatically disable the feature.
Per-user consent behavior depends on your Entra ID user consent policy.
Users must fully sign out and back in to test changes.
By following these detailed instructions, Microsoft Administrators can effectively manage and remove specific calendar permissions, ensuring a streamlined and compliant user experience within their applications.
Need help?
If you have any difficulties along the way, please contact us at [email protected].