Use Microsoft Graph to investigate backend issues in the SAIL Boat to SAIL-AWAY calendar migration and the dependency on Nathaniel Hatfield's account.
LITIFY_ORG is connected and live SOQL succeeds.admin/outlook-audits/sail-away-calendar-migration-20260603/graph_backend_diagnostic.py.admin/outlook-audits/sail-away-calendar-migration-20260603/graph-backend-diagnostic-2026-06-03.jsonadmin/outlook-audits/sail-away-calendar-migration-20260603/graph-backend-diagnostic-2026-06-03.mdSAIL-Audit-Visibility includes calendar read/write roles, plus broad directory/audit/mailbox permissions.SAIL Boat is a calendar under Nathaniel Hatfield's mailbox, owner Hatfield@kylawoffice.com, with canEdit, canShare, and canViewPrivateItems available through Graph.SAIL Boat has 44 internal calendar permissions: 39 read, 5 write.Hatfield@kylawoffice.com as organizer. The sample returned 1,635 events, with 7 created today and 7 modified today, June 3, 2026.403 ErrorAccessDenied for app-only Graph.sailaway@kylawoffice.com and sail-away@kylawoffice.com do not resolve as user or shared mailbox objects through /users/{address}.The backend issue is not that Graph lacks general calendar permissions. The app can read Nathaniel's mailbox and has calendar roles. The issue is target architecture and access shape.
The old production-like target is Nathaniel Hatfield's personal mailbox calendar named SAIL Boat. It has broad shared permissions and all returned events are organized by Nathaniel. That makes the PTO calendar dependency account-bound and not firm-neutral.
The intended SAIL-AWAY target is currently a Microsoft 365 group, not a mailbox-backed user/shared mailbox calendar. The app can see the group, members, owners, and conversations, but cannot access /groups/{id}/calendar or /groups/{id}/events. Both return 403 ErrorAccessDenied.