Application permissions for Bookings APIs in Microsoft Graph now available
We are delighted to announce that application permissions for Bookings APIs in Microsoft Graph are now available on the beta endpoint.
Microsoft Graph APIs support both delegated and application permissions. Previously, Bookings APIs in Microsoft Graph supported only delegated permissions. Delegated permissions require a signed-in user to be present. In the case of Bookings, this meant that only a Bookings calendar administrator, scheduler, team member, or viewer can use APIs. Customers can’t create appointments, which means that custom solutions that support self-scheduling aren’t available. The addition of application permissions unlocks this scenario.
With application permissions, developers can also create bot-like applications and make Bookings part of workflows that don’t need a user to be signed in. Application permissions can also be used to create tools that help tenant admins monitor Booking calendars. Tenant admins can keep track of Booking calendar staff members, publish status and appointment statistics, and more.
APIs with application permissions
In this release, we are providing application permissions for a limited set of Bookings APIs. This includes application permissions support for read and write APIs for the ‘bookingCustomer ‘and ‘bookingAppointment’ entities. For other entities, including ‘bookingBusiness’, ‘bookingStaffMember’, ‘bookingCustomQuestion’ and ‘bookingService’, we are supporting the read APIs only. Because these tasks are for Bookings admins, delegated permissions are recommended for these use cases.
To create appointments using application permissions, you need to use the getStaffAvailability API. At the same time, you should understand how business rules are validated. There is one fundamental difference in creating appointments with delegated permissions as a Bookings admin and creating appointments using application permissions. It is assumed that an admin can override certain business checks as they are aware of their own calendar. However, the same assumption doesn’t hold while creating appointments using application permissions.