Merge pull request #28541 from microsoftgraph/users/lianshen/update-rbac

Danipocket · web-flow · commit de3ab847b228 · 2026-03-30T21:38:53.000-06:00
Update Places API with application permission details
diff --git a/api-reference/beta/includes/rbac-for-apis/rbac-places-apis-update-known-issue.md b/api-reference/beta/includes/rbac-for-apis/rbac-places-apis-update-known-issue.md
@@ -5,5 +5,6 @@ ms.topic: include
 
 > [!IMPORTANT]
 > In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. *Exchange Administrator* is the least privileged role supported for this operation.
+> When using *application permissions*, you must configure the required `TenantPlacesManagement` role (to manage Places) and the `MailRecipient` role (to manage users and mailboxes). For more information on how to configure these roles, see [Role Based Access Control for Applications in Exchange Online](/exchange/permissions-exo/application-rbac).
 
-> **Known issue:** Update requests may still succeed without the role assignment but result in unexpected behaviors.
+> **Known issue:** Update requests may still succeed even when the required delegated Microsoft Entra role or application RBAC role assignments are missing, but can result in unexpected behaviors.
diff --git a/api-reference/beta/includes/rbac-for-apis/rbac-places-apis-write.md b/api-reference/beta/includes/rbac-for-apis/rbac-places-apis-write.md
@@ -4,4 +4,5 @@ ms.topic: include
 ---
 
 > [!IMPORTANT]
-> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. *Exchange Administrator* is the least privileged role supported for this operation.
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. *Exchange Administrator* is the least privileged role supported for this operation.
+> When using *application permissions*, you must configure the required `TenantPlacesManagement` role (to manage Places) and the `MailRecipient` role (to manage users and mailboxes). For more information on how to configure these roles, see [Role Based Access Control for Applications in Exchange Online](/exchange/permissions-exo/application-rbac).
diff --git a/api-reference/v1.0/includes/rbac-for-apis/rbac-places-apis-update-known-issue.md b/api-reference/v1.0/includes/rbac-for-apis/rbac-places-apis-update-known-issue.md
@@ -5,5 +5,6 @@ ms.topic: include
 
 > [!IMPORTANT]
 > In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. *Exchange Administrator* is the least privileged role supported for this operation.
+> When using *application permissions*, you must configure the required `TenantPlacesManagement` role (to manage Places) and the `MailRecipient` role (to manage users and mailboxes). For more information on how to configure these roles, see [Role Based Access Control for Applications in Exchange Online](/exchange/permissions-exo/application-rbac).
 
-> **Known issue:** Update requests may still succeed without the role assignment but result in unexpected behaviors.
+> **Known issue:** Update requests may still succeed without either the delegated Microsoft Entra role assignment or the application RBAC role assignments but result in unexpected behaviors.
diff --git a/api-reference/v1.0/includes/rbac-for-apis/rbac-places-apis-write.md b/api-reference/v1.0/includes/rbac-for-apis/rbac-places-apis-write.md
@@ -4,4 +4,5 @@ ms.topic: include
 ---
 
 > [!IMPORTANT]
-> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. *Exchange Administrator* is the least privileged role supported for this operation.
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. *Exchange Administrator* is the least privileged role supported for this operation.
+> When using *application permissions*, you must configure the required `TenantPlacesManagement` role (to manage Places) and the `MailRecipient` role (to manage users and mailboxes). For more information on how to configure these roles, see [Role Based Access Control for Applications in Exchange Online](/exchange/permissions-exo/application-rbac).
diff --git a/concepts/whats-new-overview.md b/concepts/whats-new-overview.md
@@ -26,7 +26,8 @@ Using the **signInAudience** property to limit where an [application](/graph/api
 
 ### Calendars | Places
 
-Added a known issue of RBAC in [Places update API](/graph/api/place-update): update requests may still succeed without *Exchange Administrator* role but result in unexpected behaviors.
+- Added a known issue of RBAC in [Places update API](/graph/api/place-update): update requests may still succeed without *Exchange Administrator* role but result in unexpected behaviors.
+- When using *application permissions* with the [Create place](/graph/api/place-post), [Upsert places](/graph/api/place-patch-places), [Update place](/graph/api/place-update), and [Delete place](/graph/api/place-delete) APIs, you must configure the required `TenantPlacesManagement` role (to manage Places) and the `MailRecipient` role (to manage users and mailboxes). For more information on how to configure these roles, see [Role Based Access Control for Applications in Exchange Online](/exchange/permissions-exo/application-rbac).
 
 ### Device and app management | Cloud PC
 
@@ -104,7 +105,8 @@ The new Tenant Configuration Management APIs in Microsoft Graph allow administra
 
 ### Calendars | Places
 
-Added a known issue of RBAC in [Places update API](/graph/api/place-update?view=graph-rest-beta&preserve-view=true): update requests may still succeed without *Exchange Administrator* role but result in unexpected behaviors.
+- Added a known issue of RBAC in [Places update API](/graph/api/place-update?view=graph-rest-beta&preserve-view=true): update requests may still succeed without *Exchange Administrator* role but result in unexpected behaviors.
+- When using *application permissions* with the [Create place](/graph/api/place-post?view=graph-rest-beta&preserve-view=true), [Upsert places](/graph/api/place-patch-places?view=graph-rest-beta&preserve-view=true), [Update place](/graph/api/place-update?view=graph-rest-beta&preserve-view=true), and [Delete place](/graph/api/place-delete?view=graph-rest-beta&preserve-view=true) APIs, you must configure the required `TenantPlacesManagement` role (to manage Places) and the `MailRecipient` role (to manage users and mailboxes). For more information on how to configure these roles, see [Role Based Access Control for Applications in Exchange Online](/exchange/permissions-exo/application-rbac).
 
 ### Device and app management | Cloud PC
 
