This guide will show you how to use Role Based Access Control (RBAC) in Powershell to limit the scope of the Robin app to only room or equipment mailboxes. These steps will need to be done after connecting via app.
Find the Robin Powered (Admin Consent) app in the Enterprise apps section of Azure.
In Exchange Online Powershell run the command:
New-ServicePrincipal -AppId [app ID] -ObjectId [object ID] -DisplayName "Robin"
With a limited scope, the application has access to room and equipment calendars only.
In the Exchange management shell, run the command:
New-ManagementScope -Name "RobinCalendars" -RecipientRestrictionFilter {RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "EquipmentMailbox"}
Then apply the management scope:
New-ManagementRoleAssignment -Role “Application Calendars.ReadWrite” -App [Robin app ID] -CustomResourceScope “RobinCalendars”
Once this is set up, you will need to revoke the Calendars.ReadWrite permission under the Permissions section of the application in Azure.
Looking to restrict the calendar access further? See Microsoft's guide for examples on how to limit the management scope.
Reference:
Role Based Access Control for Applications in Exchange Online