Scoping application Crestron to access only room mailboxes of resourcetype Workspace

Question

We got a requirement for to enable application Crestron to be able to access Workspace resourcetype Room mailboxes only. So, we thought of directly tieing the application to these mailboxes over the usual way of assigning it to a group because we had to create a group just for to maintain this delegation.Below are the steps we performed:#Create management scope
Connect-ExchangeOnline

New-ManagementScope -Name "Workspace Mailboxes" `
    -RecipientRestrictionFilter "((RecipientTypeDetails -eq 'RoomMailbox') -and (ResourceType -eq 'Workspace'))"
#Assign the management scope to Roles
New-ManagementRoleAssignment `
    -App "&lt;AppID&gt;" `
    -Role "Application Calendars.ReadWrite" `
    -CustomResourceScope "Workspace Mailboxes" `
    -Name "MyApp-WorkspaceOnly"

New-ManagementRoleAssignment `
    -App "&lt;AppID&gt;" `
    -Role "Application MailboxSettings.Read" `
    -CustomResourceScope "Workspace Mailboxes" `
    -Name "MyApp-WorkspaceOnly-Settings"
#Verified the assignment via:
Get-ManagementRoleAssignment -App "&lt;AppID&gt;" | ft Name, Role, CustomResourceScope
Name                      Role                           CustomResourceScope
----                      ----                           -------------------
MyApp-WorkspaceOnly       Application Calendars.ReadWrite Workspace Mailboxes
MyApp-WorkspaceOnly-Settings Application MailboxSettings.Read Workspace Mailboxes&nbsp;Tested the scope of the assignment with a non-workspace mailbox and a workspace mailbox, the scope resulted false for non-workspace mailbox and true for a workspace mailbox.&nbsp;Later, admin consented for API permissions Calendars.ReadWrite, Mailboxsettings.Read &amp; User.Read.All and generated an application secret with validity of 180 days to the application team and shared the secret key.&nbsp;ISSUE: When application team tested the access from Crestron application for a workspace mailbox it is resulting in Authentication Failed. This is the actual issue.&nbsp;In order to test whether this is happening because of scope , performed the below steps:$TenantId = "&lt;TenantID&gt;"
$AppId = "&lt;AppID&gt;"
$ClientSecret = "&lt;ClientSecret&gt;"

$Body = @{
    grant_type    = "client_credentials"
    client_id     = $AppId
    client_secret = $ClientSecret
    scope         = "https://graph.microsoft.com/.default"
}

$TokenRequest = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token" `
    -Method POST -Body $Body

$AccessToken = $TokenRequest.access_token

$WorkspaceMailbox = "&lt;email address removed for privacy reasons&gt;"
Invoke-RestMethod `
    -Uri "https://graph.microsoft.com/v1.0/users/$WorkspaceMailbox/events" `
    -Headers @{Authorization = "Bearer $AccessToken"}The expected results for this test was to receive&nbsp;Workspace mailbox → Returns events.Non-Workspace mailbox → Should return 403 Forbidden.However, it resulted events in both the cases, when dug further I realised that Graph API will override the management scopes created at Exchange level, so need guidance on how we can take this further.

vasilmichev · Answer

Did you remove the corresponding permissions (Calendars.ReadWrite, Mailboxsettings.Read) on Graph side? Here's the relevant quote from the documentation: https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac#why-does-my-application-still-have-access-to-mailboxes-that-arent-granted-using-rbac&nbsp;

Why does my application still have access to mailboxes that aren't granted using RBAC?
You need to ensure that you've removed the tenant-wide unscoped permissions you assigned in Microsoft Entra ID. The permissions assigned using RBAC act in addition to grants you make in Microsoft Entra ID. Microsoft Entra permissions can only be constrained using Application Access Policies.

poormens_bravo · Answer

So, I did not migrate from Application access policy, this was a new request and hence went ahead with Application RBAC

vasilmichev · Answer

That's not what the above means. Just remove the permissions on Entra side and you should be fine.

poormens_bravo · Answer

Actually thanks VasilMichev​ for pointing that out and I agree that's correct, I just removed the Entra permissions for the application and my Graph test started showing up correctly.... Which means that the scope for the application is working as expected... However, we still stand with the issue of Authentication, I am not sure from where to start investigating that....Is there a place I can check for logs?

poormens_bravo · Answer

(For some reason this site is slow and breaks alot, I remember replying to this message earlier, but vanished after I hit the Reply button)Ok, yes i got what you meant...I went ahead and cleared the Entra permissions, and tested again, this time the test was successful.&nbsp;Result:Events were successfully retrieved for Workspace mailboxes.Non-Workspace mailboxes returned 403 errors.However, the issue with authentication persisted even after this change. The sign-in logs show:Sign-in error code 7000215Failure reasonInvalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '{identifier}'.Additional detailsDeveloper error - the app is attempting to sign in without the necessary or correct authentication parameters.&nbsp;Assuming that secret code was used instead of Secret actually tried once again with secret, the issue seems to persist, somehow. I have a feeling that this is something a human error sort of.&nbsp;

Forum Discussion

Scoping application Crestron to access only room mailboxes of resourcetype Workspace

6 Replies

Why does my application still have access to mailboxes that aren't granted using RBAC?

Resources