How to Create Events in User's Outlook Calendar Without Microsoft Account?

I am working on a project where I need to create events in user's Outlook calendars. The requirement is that job inspection dates should be added to the calendar of relevant users. Additionally, users should have the ability to manually create events on their calendars.

After some research, I've identified two possible approaches for achieving this functionality. Given these two approaches, I am unsure which one will work for my requirements. Additionally, I have questions for both:

1. Delegated permissions:

• With this approach, I would utilize the delegated authentication flow, requiring the use of a user's access token to create events in their calendar.
• However, I've noticed that these tokens have a relatively short expiration time, usually less than a day. Managing tokens for all users seems impractical.

2. Application permissions:

• Having only application's access token managing it will be practicle.
• I am not sure if I can allow user's with any tenant with application permissions flow. Additionally, I am not sure about admin consent part either.

Despite reading the documentation for Microsoft Graph APIs, I find myself more confused than before. I'm seeking clarity on which approach would be best suited for my requirements.

Here are my specific questions:

• For Delegated Permissions: How can I efficiently manage access tokens for multiple users considering their short expiration time?
• For Application Permissions: Are users from any tenant (account types) supported with the application permissions flow, and how does the process of obtaining admin consent work in this context?

I am open to any insights, recommendations, or clarifications that can help me make an informed decision. Thank you for your assistance.

1. Delegated permissions

Delegate permission are generally something you want to avoid unless its a front end type applications where your authenticating a user and then using their credentials to do something. For a daemon application or backend app you should use Application permission (the client credentials flow). The issue with Delegate permission in a backend context is that you need to have an application/service account (meaning a license) which means your dealing with a username and password (insecure) or a stored refresh token (hard to manage and unreliable) and there are then the restriction placed on that user account mfa, location, conditional access etc to deal with.

2. Application permissions:

If you need your app to work on more then one tenant then you need to create a Multi Tenant app https://learn.microsoft.com/en-us/entra/identity-platform/single-and-multi-tenant-apps#who-can-sign-in-to-your-app and go through the publisher verification https://learn.microsoft.com/en-us/entra/identity-platform/publisher-verification-overview . An Admin from the tenant your app needs to work in will need to consent to it, there are a number of ways they can do it if you don't have a specific installer https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal