Thank you Jon. Just to confirm, if I do not set up the access policies as you outline above, the app registration credentials will automatically allow the viewing of users' emails and calendars?
You are correct. Without the access policy the *.All roles provide access to all users email, calendar, etc. unfortunately access policies only work for email and calendar currently