Forum Discussion
Scoping application Crestron to access only room mailboxes of resourcetype Workspace
Did you remove the corresponding permissions (Calendars.ReadWrite, Mailboxsettings.Read) on Graph side? Here's the relevant quote from the documentation: https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac#why-does-my-application-still-have-access-to-mailboxes-that-arent-granted-using-rbac
Why does my application still have access to mailboxes that aren't granted using RBAC?
You need to ensure that you've removed the tenant-wide unscoped permissions you assigned in Microsoft Entra ID. The permissions assigned using RBAC act in addition to grants you make in Microsoft Entra ID. Microsoft Entra permissions can only be constrained using Application Access Policies.
So, I did not migrate from Application access policy, this was a new request and hence went ahead with Application RBAC
That's not what the above means. Just remove the permissions on Entra side and you should be fine.
(For some reason this site is slow and breaks alot, I remember replying to this message earlier, but vanished after I hit the Reply button)
Ok, yes i got what you meant...I went ahead and cleared the Entra permissions, and tested again, this time the test was successful.
Result:- Events were successfully retrieved for Workspace mailboxes.
- Non-Workspace mailboxes returned 403 errors.
However, the issue with authentication persisted even after this change. The sign-in logs show:
Sign-in error code 7000215
Failure reason
Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '{identifier}'.
Additional details
Developer error - the app is attempting to sign in without the necessary or correct authentication parameters.
Assuming that secret code was used instead of Secret actually tried once again with secret, the issue seems to persist, somehow. I have a feeling that this is something a human error sort of.
