Files
claudetools/.claude/memory/feedback_exchange_op_all_access.md
Mike Swanson 730d26437b sync: auto-sync from GURU-5070 at 2026-06-25 21:13:47
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-25 21:13:47
2026-06-25 21:15:00 -07:00

1.5 KiB

name, description, metadata
name description metadata
feedback_exchange_op_all_access The exchange-op tier is the all-access Exchange tier — stop claiming "no tier can write mail"
type
feedback

The exchange-op tier (ComputerGuru Exchange Operator app, b43e7342-5b4b-492f-890f-bb5a4f7f40e9) holds the Exchange Administrator directory role PLUS full_access_as_app and Exchange.ManageAsApp. That is full all-access to every mailbox and every Exchange Online operation — reading, writing, moving mail, inbox rules, message trace, TABL, audit config, EWS, the lot.

Why: Mike's recurring correction (2026-06-25) — I keep claiming "no app tier has Mail.ReadWrite, so I need a workaround" and reaching for convoluted paths (EWS gymnastics, etc.). That framing is wrong and wastes time EVERY time. Graph application Mail.ReadWrite is not the only write path; the Exchange Operator app already has full Exchange admin rights.

How to apply: For ANY mailbox/Exchange write or all-access need (move/copy/delete mail, modify rules, change mailbox config, EWS operations, audit settings), default to the exchange-op tier. Never declare a task blocked for lack of mail-write permission without first using exchange-op. The Graph investigator tier is read-only (Mail.Read); investigator-exo lacks Exchange.ManageAsApp (see reference_investigator_exo_manageasapp_gap) — neither limitation means "we can't write," it just means use exchange-op. See reference_tedards_tenant_facts.