Why does Cronofy require full mailbox access?

The APIs utilised by Cronofy to access Exchange and Office 365 require full Mailbox Access so we can create and update events.

Limitations in the way the data is modelled inside those services (Office 365 AND Exchange) mean that it is necessary for Cronofy to require full mailbox access by default. Cronofy does not access any email information, only the calendars that the user has granted us access to.

If you’re using Enterprise Connect, you can further restrict access to only free-busy information for a mailbox, or alternatively, only share calendar information of users within certain distribution groups. You can find more information on how to do this in the following documentation: https://docs.cronofy.com/calendar-admins/enterprise-connect-office365-exchange/free-busy-access/