Share via

Is it supported and secure to combine SSO (delegated) and Application RBAC (app‑only Exchange Online) in a single Entra application?

Hulleman, Rob 20 Reputation points
2026-03-05T13:43:28.8+00:00

I am looking for an authoritative and technically accurate answer regarding the correct architectural approach for integrating a line‑of‑business application with Microsoft Entra ID and Exchange Online.

The scenario involves a single business application. The application needs to use two completely different identity flows:

  1. Single Sign‑On (SSO) for web, mobile, and desktop, this requires:

Delegated permissions (for example: User.Read)

Interactive authentication (user sign‑in)

Public client flows (MSAL localhost / mobile redirect URIs)

  1. Application RBAC for Exchange Online calendar access, this requires:

App‑only authentication

A Service Principal in Exchange Online

A Management Scope restricting mailboxes

A role assignment such as Application Calendars.ReadWrite

Is it supported, secure, and recommended by Microsoft to implement both, Delegated SSO, and Application RBAC (app‑only Exchange Online access) inside a single Entra Enterprise application? Or is it the intended and supported solution to separate these into two Entra Enterprise registrations, one for SSO and one for Application RBAC?

Nowhere in Microsoft Learn does it explicitly say:

“You must separate SSO and Application RBAC into different app registrations.”

Kind regards,

Azure App Configuration
Azure App Configuration

An Azure service that provides hosted, universal storage for Azure app configurations.

Answer accepted by question author
  1. VEMULA SRISAI 11,160 Reputation points Microsoft External Staff Moderator
    2026-03-05T15:50:41.6333333+00:00

    Hello Hulleman, Rob ,

    Yes it is supported and secure to use both delegated SSO and app‑only Exchange Online access in the same Microsoft Entra app registration.

    A single Entra app can be configured with delegated permissions (used only when a user signs in for SSO) and application permissions (used only when the app authenticates with client credentials). Microsoft explicitly describes these as two distinct permission types based on the OAuth flow being used (delegated tokens vs app‑only tokens).

    https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/app-integration/application-delegated-permission-access-tokens-identity-platform

    For Exchange Online, RBAC for Applications is designed specifically to grant app‑only access and restrict it to a scoped set of mailboxes. Microsoft Learn states that these Exchange Online RBAC grants are independent of the unscoped grants in Microsoft Entra ID, and the access is enforced through Exchange role assignments and scopes.

    https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac

    So there is no Microsoft requirement to split into two app registrations. Splitting into separate apps is optional and usually done only for operational/security boundary reasons (separate ownership, different credential lifecycle, separate environments), not because the platform requires it.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-05T13:43:48.5066667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Combining both delegated SSO and app‑only Exchange Online RBAC in a single Microsoft Entra application is supported and secure, and it is an expected scenario.

    From the Exchange Online RBAC for Applications model:

    • RBAC for Applications in Exchange Online is explicitly designed to work in addition to the unscoped permissions granted in Microsoft Entra ID. These Entra permissions can be either delegated or application permissions.
    • The feature “extends the current RBAC model in Exchange Online and it replaces Application Access Policies. These permission grants are independent of the unscoped grants in Microsoft Entra ID.”
    • An app can simultaneously have:
      • Delegated permissions (for example, User.Read) used for SSO and user‑driven flows.
      • Application permissions (for example, Calendars.ReadWrite) that are then further constrained in Exchange Online by RBAC for Applications (service principal + management scope + role assignment).
    • The documentation explicitly describes mixed scenarios where a single app has both Microsoft Entra permissions and RBAC assignments:
      • “An app can have both Microsoft Entra consented permissions and RBAC assignments. We expect this case when an app has (for example) organization‑wide Mail.Read and scoped Mail.Send.”
      • It also walks through examples where the same app has Microsoft Entra‑consented permissions plus RBAC‑scoped permissions, and explains how the effective authorization is computed.

    This shows that:

    1. A single Entra application is a supported and first‑class design for:
      • Delegated SSO flows (OIDC/SAML, interactive sign‑in, public client redirect URIs), and
      • App‑only Exchange Online access controlled by RBAC for Applications (service principal, management scopes, and roles such as Application Calendars.ReadWrite).
    2. RBAC for Applications is intentionally additive to Entra permissions, not a separate app model that must be isolated into a different registration.
    3. The guidance does not state that SSO and Application RBAC must be separated into different app registrations. Instead, it explicitly documents scenarios where a single app has both Entra permissions and RBAC assignments and explains how they combine.

    Architecturally, separating into two app registrations is an optional design choice (for isolation, lifecycle, or admin reasons), not a requirement for support or security. The supported and recommended pattern is:

    • Use Microsoft Entra ID for organization‑wide or unscoped permissions (delegated and/or application).
    • Use Exchange Online RBAC for Applications to add granular, resource‑scoped permissions for the same app’s service principal where needed.

    This aligns with the documented model where RBAC for Applications “offers an alternate expression of authorization with an associated resource scope,” while Entra permissions (delegated or app‑only) provide the OAuth scopes and tokens.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.