Forum Discussion

PoorMens_Bravo's avatar
PoorMens_Bravo
Brass Contributor
Aug 05, 2025

Scoping application Crestron to access only room mailboxes of resourcetype Workspace

We got a requirement for to enable application Crestron to be able to access Workspace resourcetype Room mailboxes only. So, we thought of directly tieing the application to these mailboxes over the ...
admin
exchange online
Exchange Server
hybrid
office 365
maurobalsano's avatar
maurobalsano
MCT
Dec 08, 2025

Yep, what you’re seeing is expected if the app still has Graph application permissions. App RBAC scopes only constrain *Exchange Online "Application" roles.

Graph app perms remain tenant-wide and will bypass your EXO scope, so /users/{mailbox}/events succeeds everywhere.

Action:

  • Remove Graph application perms like Calendars.ReadWrite, MailboxSettings.Read, User.Read.All, etc.  in Entra ID and revoke admin consent.
  • Keep only EXO Application roles and your custom resource scope, then re-consent and retest.

After that, non-Workspace mailboxes should return 403.

If you must use Graph app perms, EXO RBAC can’t scope them today: needs delegated flow or a separate app.

Let us know if this fixes it.

Resources