Set default calendar permission for all users with PowerShell

Each user can view free/busy status of another user mailbox calendar by default. This permission can be problematic for the users, because they can’t see the name or location of the meeting. That’s why most organizations want to set the calendar permissions to limitedRead for all the users. In this article, you will learn how to set default calendar permission for all users with Microsoft Graph PowerShell.

Calendar permission

The default calendar permission (freeBusyRead) is set for each Microsoft 365 mailbox. You can always change the default value or set another role for each mailbox.

The table below shows all the calendar role types.

Member	Description
none	Calendar isn’t shared with the user
freeBusyRead	User is a recipient who can view free/busy status of the owner on the calendar
limitedRead	User is a recipient who can view free/busy status, and titles and locations of the events on the calendar.
read	User is a recipient who can view all the details of the events on the calendar, except for the owner’s private events.
write	User is a recipient who can view all the details (except for private events) and edit events on the calendar.
delegateWithoutPrivateEventAccess	User is a delegate who has write access but can’t view information of the owner’s private events on the calendar.
delegateWithPrivateEventAccess	User is a delegate who has write access and can view information of the owner’s private events on the calendar.
custom	User has custom permissions to the calendar.

If you want to know the calendar permission of all the mailboxes, you can Export Microsoft 365 calendar permissions with PowerShell.

The screenshot below shows the calendar freeBusyRead permission for the appointments and meetings in Outlook or OWA.

Once you set the limitedRead permission for the calendar, you can see the title and location of each appointment and meeting in Outlook or OWA.

Configure app registration in Microsoft Entra

To be able to run the PowerShell script you first need to create app registration with the correct permissions and a client secret to authenticate with Microsoft Graph PowerShell.

1. Register new application

1. Sign in to Microsoft Entra admin center
2. Click Identity > Applications > App registrations
3. Click New Registration

4. Name the application Calendar Perms
5. Select Accounts in this organizational directory only (m365info only – Single tenant)
6. Click Register

It successfully created the application Calendar Perms. You need to copy the values and paste them into Notepad because you will need them later when connecting to Microsoft Graph.

7. Copy the Application (client) ID
8. Copy the Directory (tenant) ID

2. Assign API permissions

You must assign API permissions to the Calendar Perms application you created.

1. Click API permission
2. Click Add a permission

3. Click Microsoft APIs
4. Click Microsoft Graph

5. Click Application permissions
6. Search for User.Read.All
7. Select User > User.Read.All

8. Search for Calendars
9. Select Calendars > Calendars.ReadWrite
10. Click Add permissions

You successfully added API permissions, and the next step is to grant admin consent.

3. Grant admin consent

1. Click Grant admin consent for m365info
2. Click Yes

3. The green check mark shows that you granted admin consent successfully

4. Create Client Secret

After you register a new application in Microsoft Entra and assign API permissions and grant admin consent, you need to create a client secret.

To create a Client Secret for your application in Microsoft Entra ID, follow these steps:

1. Click Certificates & secrets
2. Click Client secrets > New client secret
3. Type Description
4. Select an Expiration date
5. Click Add

6. Copy the client secret Value and save it in Notepad

Connect to Microsoft Graph with Client Secret

You need to change the below parameters values to connect to MS Graph with Client Secret:

• Type the Application Client ID value in line 2
• Type the Directory Tenant ID value in line 3
• Type the Client Secret Value value in line 4

Run the below PowerShell script.

# Configuration application
$ClientId = "f8679317-ee8b-48b4-853c-a75907ca256d"
$TenantId = "a2ff010e-0e03-4c56-8863-2ae7f07876dd"
$ClientSecret = "Fit8Q~5bFn8Zh9f3mdpxPr8Lt1tKtq4r2TRyUc~p"

# Convert the client secret to a secure string
$ClientSecretPass = ConvertTo-SecureString -String $ClientSecret -AsPlainText -Force

# Create a credential object using the client ID and secure string
$ClientSecretCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ClientId, $ClientSecretPass

Connect-MgGraph -TenantId $TenantId -ClientSecretCredential $ClientSecretCredential

You are connected to Microsoft Graph, and in the next step, you will set the calendar permissions for all users.

Set default calendar permission for all users

To set the calendar permission for all users in your organization, you must first go through all the above steps. This is to create an application in Microsoft Entra, including the granted permissions Calendar.ReadWrite and User.Read.All. Then, connect to Microsoft Graph using the Client Secret.

To set the default calendar permission for all users, follow these steps:

1. Set the calendar permission level in line 2
2. Run the PowerShell script

# Set the permission level to be set on the calendars.
$Permission = "limitedRead"

# Define the properties to retrieve from the user
$Properties = @(
    'Id',
    'AssignedLicenses',
    'DisplayName',
    'Mail',
    'UserPrincipalName'
)

# Generates a list of all users in the Microsoft 365 organization
$users = Get-MgUser -All -Property $Properties | Where-Object { $_.AssignedLicenses.Count -gt 0 -and $_.Mail -ne $null }

# Sets default access to limitedRead for all calendars in each user's mailbox
foreach ($user in $users) {

    # Prints the user currently in focus
    Write-Host "Going through the user $($user.UserPrincipalName)" -ForegroundColor Cyan

    # Initializes the variables to store calendar permissions
    $CalenderPermissions = @()
    $CalenderPermissions = Get-MgUserCalendarPermission -UserId $user.id

    # If the user has any calendar permissions, update them
    if ($CalenderPermissions) {
        $CalenderPermissionsMyOrg = @()
        $CalenderPermissionsMyOrg = $CalenderPermissions | Where-Object { $_.EmailAddress.Name -eq "My Organization" }

        # Updates the calendar permissions for the user
        if ($CalenderPermissionsMyOrg.Role -ne $Permission) {
            $null = Update-MgUserCalendarPermission -UserId $user.id -Role $Permission -CalendarPermissionId $CalenderPermissionsMyOrg.id
            # Prints the user whose calendar permissions are being set
            Write-Host "Setting permission on calendar for $($user.userprincipalname)" -ForegroundColor Green
        }
        else {
            Write-Host "Permission already set on calendar for $($user.userprincipalname)" -ForegroundColor Yellow
        }
    }
}

The PowerShell output shows the below result. All the existing user mailboxes in your organization have the default calendar permission set.

Going through the user Amanda.Hansen@m365info.com
Setting permission on calendar for Amanda.Hansen@m365info.com
Going through the user Andrea.Baker@m365info.com
Setting permission on calendar for Andrea.Baker@m365info.com
Going through the user Brenda.Smith@m365info.com
Setting permission on calendar for Brenda.Smith@m365info.com
Going through the user Carl.Hawk@m365info.com
Setting permission on calendar for Carl.Hawk@m365info.com
Going through the user Chris.Lucas@m365info.com
Setting permission on calendar for Chris.Lucas@m365info.com
Going through the user Diana.Baker@m365info.com
Setting permission on calendar for Diana.Baker@m365info.com
Going through the user Laura.Terry@m365info.com
Setting permission on calendar for Laura.Terry@m365info.com
Going through the user Stephen.Hunter@m365info.com
Setting permission on calendar for Stephen.Hunter@m365info.com

You can always combine those two scripts and create a scheduled task that runs every day. This way, you don’t need to do anything if a new user is created.

That’s it!

Read more: Configure Certificate-Based Authentication to run automated PowerShell scripts »

Conclusion

You learned how to set default calendar permission for all users with Microsoft Graph PowerShell. You need to configure an application with the correct permissions in Microsoft Entra ID. After that you can connect to Microsoft Graph with the client secret and run the PowerShell script. This way, you can easily set the default calendar permission for all users in your organization.

Did you enjoy this article? You may also like Manage mailbox folder permission with PowerShell. Don’t forget to follow us and share this article.