Only organization owners and admins can create and enable a Delegation Credential. The admin’s email must belong to the Microsoft 365 domain being configured.
What you need
Before starting, make sure you have:- Organization admin access in Cal.com
- Microsoft Entra admin access to register an application and grant admin consent
- A Microsoft 365 tenant with the domain you want to configure
Step 1: Register an application in Microsoft Entra ID
Open the Microsoft Entra admin center
Go to entra.microsoft.com and sign in with your Microsoft 365 admin account.
Create a new app registration
Go to Identity → Applications → App registrations and click New registration. Give your application a name (for example,
Cal.com Delegation Credential).Choose supported account types
Select Accounts in this organizational directory only (single tenant). You don’t need to add a redirect URI for this flow.
Step 2: Add API permissions
The application needs three Microsoft Graph application permissions so Cal.com can read and write calendars, resolve users by email, and rotate its own client secret.| Permission | Why Cal.com needs it |
|---|---|
Calendars.ReadWrite | Read availability and create or update calendar events for members in the tenant. |
User.Read.All | Resolve the Microsoft 365 user for a Cal.com member by their email address. |
Application.ReadWrite.OwnedBy | Automatically rotate the client secret on the app registration Cal.com owns, before it expires. |
Add the required permissions
Search for and add each of the following, one at a time:
Calendars.ReadWriteUser.Read.AllApplication.ReadWrite.OwnedBy
Step 3: Create a client secret
Open Certificates & secrets
From your application page, go to Certificates & secrets and click New client secret.
Set a description and expiry
Add a description (for example,
Cal.com DWD) and choose an expiration period that suits your security policy.Step 4: Create the Delegation Credential in Cal.com
Open Delegation Credential settings
In Cal.com, go to Settings → Organization → Delegation Credential.
Fill in the form
- Domain: Enter your Microsoft 365 domain (for example,
acme.comif your emails are@acme.com) - Workspace Platform: Select Microsoft 365
- Client ID: Paste the Application (client) ID from Step 1
- Tenant ID: Paste the Directory (tenant) ID from Step 1
- Client Secret: Paste the secret Value you copied in Step 3
Step 5: Enable the Delegation Credential
What happens after enabling
Once the Delegation Credential is enabled:- Microsoft 365 Calendar is auto-connected for all organization members whose email matches the configured domain — they do not need to connect it manually
- New members added to the organization automatically get their calendar connected
- Members cannot disconnect the delegation-managed calendar credential (they can still connect additional calendars manually)
Disabling the Delegation Credential
Disabling a Delegation Credential:- Immediately stops auto-connecting calendars for members who haven’t manually connected Microsoft 365
- Preserves existing calendar preferences (selected calendars and destination calendar) for members who had them configured
- Background jobs clean up delegation-specific credential records over time
Frequently asked questions
Do members need to do anything after the credential is enabled?
Do members need to do anything after the credential is enabled?
No. Microsoft 365 Calendar is automatically connected for all members whose email matches the domain. Members can optionally complete onboarding to select which calendars to check for conflicts.
What if a member already connected Microsoft 365 manually?
What if a member already connected Microsoft 365 manually?
The Delegation Credential takes priority for the matching domain. The member’s manual connection is preserved but the delegation-managed credential is used for calendar operations.
What permissions does the application get?
What permissions does the application get?
The application is granted three Microsoft Graph application permissions:
- Calendars.ReadWrite — read availability and create or update calendar events for members in the configured tenant.
- User.Read.All — resolve the Microsoft 365 user for a Cal.com member by their email address.
- Application.ReadWrite.OwnedBy — rotate the client secret on the app registration Cal.com owns before it expires.
Application.ReadWrite.OwnedBy is scoped to applications the credential owns — it cannot modify other apps in your tenant.What happens when the client secret expires?
What happens when the client secret expires?
With
Application.ReadWrite.OwnedBy granted, Cal.com automatically rotates the client secret before it expires — you do not need to create a new secret manually. If the permission is not granted (or admin consent is revoked), the credential stops working once the secret expires. Create a new client secret in the Microsoft Entra admin center and update the credential in Cal.com from the Delegation Credential settings.