Forum Discussion
Solved
Limiting application permissions to specific Exchange Online mailboxes
Limiting application permissions to specific Exchange Online mailboxes - Microsoft Graph | Microsoft Learn Re the above link I want to give a registered app access to a mailbox. Of course, the vend...
- When registering the application in Azure AD, you must grant the app the Exchange Web Services (EWS) permission full_access_as_app.
- This permission allows the app to access all mailboxes, but the scope will be restricted in the next step.
- In Azure AD, go to App Registrations.
- Select your app and navigate to API Permissions.
- Add the full_access_as_app permission under Exchange Web Services.
- Grant admin consent for the permission
Create the ApplicationAccessPolicy
- The ApplicationAccessPolicy restricts the app’s access to specific mailboxes.
- Without this policy, the app will have access to all mailboxes as allowed by the full_access_as_app permission.
- Open Exchange Online PowerShell:
- Connect-ExchangeOnline
- Create a security group in Azure AD and add the mailbox owner(s) to it. For example:
- Group Name: MailboxAccessGroup
- Assign the application access policy:
- New-ApplicationAccessPolicy -AppId "<AppId>" -PolicyScopeGroupId "MailboxAccessGroup" -AccessRight RestrictAccess -Description "Restrict app access to specific mailboxes"
- Get-ApplicationAccessPolicy
Hi lfk73 ,
You need both the policy and permissions.
As for which permissions, it depends on whether you are accessing the mailboxes via Graph or via Exchange Online PowerShell.
If you are accessing the mailboxes using Graph, then you can also choose "just enough" access as enumerated in the above article.
If you are accessing the mailboxes via the Exchange Online PowerShell module, you will need to grant the full_access_as_app API permission (since there's nothing less permissive to choose from).
Cheers,
Lain
