1.5 KiB
name, description, metadata
| name | description | metadata | ||
|---|---|---|---|---|
| feedback_exchange_op_all_access | The exchange-op tier is the all-access Exchange tier — stop claiming "no tier can write mail" |
|
The exchange-op tier (ComputerGuru Exchange Operator app, b43e7342-5b4b-492f-890f-bb5a4f7f40e9) holds the Exchange Administrator directory role PLUS full_access_as_app and Exchange.ManageAsApp. That is full all-access to every mailbox and every Exchange Online operation — reading, writing, moving mail, inbox rules, message trace, TABL, audit config, EWS, the lot.
Why: Mike's recurring correction (2026-06-25) — I keep claiming "no app tier has Mail.ReadWrite, so I need a workaround" and reaching for convoluted paths (EWS gymnastics, etc.). That framing is wrong and wastes time EVERY time. Graph application Mail.ReadWrite is not the only write path; the Exchange Operator app already has full Exchange admin rights.
How to apply: For ANY mailbox/Exchange write or all-access need (move/copy/delete mail, modify rules, change mailbox config, EWS operations, audit settings), default to the exchange-op tier. Never declare a task blocked for lack of mail-write permission without first using exchange-op. The Graph investigator tier is read-only (Mail.Read); investigator-exo lacks Exchange.ManageAsApp (see reference_investigator_exo_manageasapp_gap) — neither limitation means "we can't write," it just means use exchange-op. See reference_tedards_tenant_facts.