![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 77%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHR%3C/text%3E%3C/svg%3E)
Azure App Configuration
An Azure service that provides hosted, universal storage for Azure app configurations.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 85%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
Combining both delegated SSO and app‑only Exchange Online RBAC in a single Microsoft Entra application is supported and secure, and it is an expected scenario.
From the Exchange Online RBAC for Applications model:
- RBAC for Applications in Exchange Online is explicitly designed to work in addition to the unscoped permissions granted in Microsoft Entra ID. These Entra permissions can be either delegated or application permissions.
- The feature “extends the current RBAC model in Exchange Online and it replaces Application Access Policies. These permission grants are independent of the unscoped grants in Microsoft Entra ID.”
- An app can simultaneously have:
- Delegated permissions (for example,
User.Read) used for SSO and user‑driven flows. - Application permissions (for example,
Calendars.ReadWrite) that are then further constrained in Exchange Online by RBAC for Applications (service principal + management scope + role assignment).
- Delegated permissions (for example,
- The documentation explicitly describes mixed scenarios where a single app has both Microsoft Entra permissions and RBAC assignments:
- “An app can have both Microsoft Entra consented permissions and RBAC assignments. We expect this case when an app has (for example) organization‑wide
Mail.Readand scopedMail.Send.” - It also walks through examples where the same app has Microsoft Entra‑consented permissions plus RBAC‑scoped permissions, and explains how the effective authorization is computed.
- “An app can have both Microsoft Entra consented permissions and RBAC assignments. We expect this case when an app has (for example) organization‑wide
This shows that:
- A single Entra application is a supported and first‑class design for:
- Delegated SSO flows (OIDC/SAML, interactive sign‑in, public client redirect URIs), and
- App‑only Exchange Online access controlled by RBAC for Applications (service principal, management scopes, and roles such as Application Calendars.ReadWrite).
- RBAC for Applications is intentionally additive to Entra permissions, not a separate app model that must be isolated into a different registration.
- The guidance does not state that SSO and Application RBAC must be separated into different app registrations. Instead, it explicitly documents scenarios where a single app has both Entra permissions and RBAC assignments and explains how they combine.
Architecturally, separating into two app registrations is an optional design choice (for isolation, lifecycle, or admin reasons), not a requirement for support or security. The supported and recommended pattern is:
- Use Microsoft Entra ID for organization‑wide or unscoped permissions (delegated and/or application).
- Use Exchange Online RBAC for Applications to add granular, resource‑scoped permissions for the same app’s service principal where needed.
This aligns with the documented model where RBAC for Applications “offers an alternate expression of authorization with an associated resource scope,” while Entra permissions (delegated or app‑only) provide the OAuth scopes and tokens.
References: