You have an Azure subscription that contains an app named App1. App1 has the app registration shown in the following table. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/AZ-500/page_262_img_3.jpg You need to ensure that App1 can read all user calendars and create appointments. The solution must use the principle of least privilege. What should you do?

Add a new Application API permission for Microsoft.Graph Calendars.ReadWrite.

Probably B, since Application permission is needed for background access to all user calendars. Not totally sure, can someone confirm?

Question 11 - Microsoft Azure AZ-500 Real Exam Questions [Feb 2026 Update]

Q: 11

You have an Azure subscription that contains an app named App1. App1 has the app registration shown in the following table.

You need to ensure that App1 can read all user calendars and create appointments. The solution must use the principle of least privilege. What should you do?

Options

Correct Answer:

Explanation

The requirement is for the application to access all user calendars and create appointments. This indicates the app needs to operate without a signed-in user context, often as a background service or daemon. This scenario requires Application permissions, which grant the app its own permissions to access data across the organization. The Microsoft.Graph Calendars.ReadWrite permission provides the exact level of access needed to read calendars and create appointments. This adheres to the principle of least privilege by not granting broader permissions like full mailbox access.

Why Incorrect

A: Delegated permissions require a user to be signed in and only grant the app access to the resources of that specific user, not all users.

C: Granting admin consent is an action performed after a permission is added. It does not, by itself, add the necessary API permission to the app registration.

D: The Calendars.ReadWrite.Shared permission is a delegated permission that only allows access to calendars that have been explicitly shared with the signed-in user.

References

1. Microsoft Graph permissions reference

Calendar permissions: Microsoft Learn. Under the "Calendar" section

the Application permission Calendars.ReadWrite is described as: "Allows the app to create

read

update

and delete events in all calendars without a signed-in user." This directly matches the scenario. The Delegated permission

in contrast

is scoped to the signed-in user's calendars.

Source: Microsoft Learn

"Microsoft Graph permissions reference"

Section: "Calendar permissions".

2. Permissions and consent in the Microsoft identity platform: Microsoft Learn. This document clarifies the distinction between permission types. It states

"For app-only access

the app acts on its own with no user signed in... App-only access is used in scenarios such as automation and backup." The need to access "all user calendars" fits this app-only access model

which uses Application permissions.

Source: Microsoft Learn

"Permissions and consent in the Microsoft identity platform"

Section: "Permission types".

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE