I'm trying to access user's presence off of https://docs.microsoft.com/en-us/graph/api/presence-get?view=graph-rest-1.0&tabs=http

I've granted my AD app Presence.ReadWrite.All which is described as "Allows the app to read all presence information and write activity and availability of all users in the directory without a signed-in user. Presence information includes activity, availability, status note, calendar out-of-office message, time zone and location. ".

There seems to be a bit of a conflict between the docs and what the permission's name is - the docs seem to imply it doesn't work with an application scope, while the permission name/description seems to say it does.

The error i'm getting is Forbidden. This seems to be different from accessing a resource with insufficient permissions (which straight up says InsufficientPermissions).

CodePudding user response：

The docs are clear that you can't do this with Application scope. That means even if the particular permission seems like it should work, it might be because it's used in that way for another endpoint. Notice that, for instance setPresence and clearPresence both support Presence.ReadWrite.All.

What's really crazy though is that neither getPresence (your endpoint) nor (get Presence for Multiple Users)[https://docs.microsoft.com/en-us/graph/api/cloudcommunications-getpresencesbyuserid?view=graph-rest-1.0&tabs=http] support Presence.*Read*Write.All - there is no supported read scenario!

From what I can see, your best bet is to keep an eye on this request and to upvote it. Microsoft (Darrel Miller) is quite active there from last year - perhaps there's an update coming.