Forum Discussion

lfk73's avatar
lfk73
Brass Contributor
Nov 27, 2024
Solved

Limiting application permissions to specific Exchange Online mailboxes

Limiting application permissions to specific Exchange Online mailboxes - Microsoft Graph | Microsoft Learn Re the above link I want to give a registered app access to a mailbox.  Of course, the vend...
azure
  • kyazaferr's avatar
    kyazaferr
    Nov 27, 2024
    • When registering the application in Azure AD, you must grant the app the Exchange Web Services (EWS) permission full_access_as_app.
    • This permission allows the app to access all mailboxes, but the scope will be restricted in the next step.
      • In Azure AD, go to App Registrations.
      • Select your app and navigate to API Permissions.
      • Add the full_access_as_app permission under Exchange Web Services.
      • Grant admin consent for the permission

    •  Create the ApplicationAccessPolicy

      • The ApplicationAccessPolicy restricts the app’s access to specific mailboxes.
      • Without this policy, the app will have access to all mailboxes as allowed by the full_access_as_app permission.
        1. Open Exchange Online PowerShell:
      • Connect-ExchangeOnline
      • Create a security group in Azure AD and add the mailbox owner(s) to it. For example:
        • Group Name: MailboxAccessGroup
      • Assign the application access policy:
    • New-ApplicationAccessPolicy -AppId "<AppId>" -PolicyScopeGroupId "MailboxAccessGroup" -AccessRight RestrictAccess -Description "Restrict app access to specific mailboxes"
    • Get-ApplicationAccessPolicy
    •  
kyazaferr's avatar
kyazaferr
Steel Contributor
Nov 27, 2024
  • When registering the application in Azure AD, you must grant the app the Exchange Web Services (EWS) permission full_access_as_app.
  • This permission allows the app to access all mailboxes, but the scope will be restricted in the next step.
    • In Azure AD, go to App Registrations.
    • Select your app and navigate to API Permissions.
    • Add the full_access_as_app permission under Exchange Web Services.
    • Grant admin consent for the permission

  •  Create the ApplicationAccessPolicy

    • The ApplicationAccessPolicy restricts the app’s access to specific mailboxes.
    • Without this policy, the app will have access to all mailboxes as allowed by the full_access_as_app permission.
      1. Open Exchange Online PowerShell:
    • Connect-ExchangeOnline
    • Create a security group in Azure AD and add the mailbox owner(s) to it. For example:
      • Group Name: MailboxAccessGroup
    • Assign the application access policy:
  • New-ApplicationAccessPolicy -AppId "<AppId>" -PolicyScopeGroupId "MailboxAccessGroup" -AccessRight RestrictAccess -Description "Restrict app access to specific mailboxes"
  • Get-ApplicationAccessPolicy
  •  

Resources