Files
claudetools/.claude/memory/reference_investigator_exo_manageasapp_gap.md
Mike Swanson 730d26437b sync: auto-sync from GURU-5070 at 2026-06-25 21:13:47
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-25 21:13:47
2026-06-25 21:15:00 -07:00

1.3 KiB

name, description, metadata
name description metadata
reference_investigator_exo_manageasapp_gap Why the remediation-tool investigator-exo tier 401s on EXO adminapi; use exchange-op instead
type
reference

The Security Investigator app (bfbc12a4-f0dd-4e12-b06d-997e7271e10c) registration grants only the full_access_as_app (EWS) Office 365 Exchange Online app role — it is missing Exchange.ManageAsApp. The EXO REST admin API (outlook.office365.com/adminapi/beta/{tid}/InvokeCommand — Get-Mailbox, Get-InboxRule, Search-UnifiedAuditLog, etc.) requires Exchange.ManageAsApp, so the investigator-exo token returns 401 on every cmdlet.

The Exchange Administrator directory role is NOT the cause — it is already assigned to the Investigator SP. The gap is the API permission on the app registration, which is a manual Entra portal change (suite rule: app registrations stay manual) and arguably shouldn't be added to the read-only Investigator at all.

How to apply: for any EXO InvokeCommand work (mailbox reads, inbox rules, message trace, TABL, audit), use the exchange-op tier — the Exchange Operator app (b43e7342-5b4b-492f-890f-bb5a4f7f40e9) carries BOTH full_access_as_app and Exchange.ManageAsApp. Don't waste a round trip on investigator-exo for adminapi. See reference_tedards_tenant_facts.