Restrict APP Only Permissions to Specific mailboxes

/ July 30, 2021

This has been released by Microsoft a year or two ago but still many administrators are not aware about it.

Problem Statement: Administrators do not want to provide app only permissions as it can grant blanket rights to every mailbox in the organization.

Workaround: Administrators use to provide delegated rights, but many applications does not work with that and requires APP only permissions.

Solution: Limit the application permissions to Specific Mailboxes.

This is possible now by utilizing Application Access Policy, let us follow below approach:

After you have registered the APP in AzureAD and provided exchange permissions note its application ID:

Below permissions are supported:


Now create a mail security group and add the mailboxes which you want to restrict access as members.

Create the Application Access policy after that:

New-ApplicationAccessPolicy -AppId 06419c45-45ge-47e8-b56c-b734acrg4504 -PolicyScopeGroupId powershellaccessgroup@TechWizard.cloud -AccessRight RestrictAccess -Description “Restrict this app to members of distribution group powershellaccessgroup”


You can check this by using Get-ApplicationAccessPolicy à it will show all the policies created.


You can test the policy as well by using:

Test-ApplicationAccessPolicy -Identity vikas@techwizard.cloud -AppId 06419c45-45ge-47e8-b56c-b734acrg4504

It will show access denied if mailbox is not member of the group


If mailbox is member of group, then it will show access granted


You can use different permission as well, instead of restrict access use deny access which means it will deny access to the mailboxes that are member of the group.

New-ApplicationAccessPolicy -AppId 06419c45-45ge-47e8-b56c-b734acrg4504 -PolicyScopeGroupId powershellaccessgroup@TechWizard.cloud -AccessRight DenyAccess -Description “Restrict this app to members of distribution group powershellaccessgroup”

 

Reference: Limiting application permissions to specific Exchange Online mailboxes

 

 

Thanks for reading…………

Tech Wizard

https://techwizard.cloud

https://syscloudpro.com

Advertisement

Related posts

One thought on “Restrict APP Only Permissions to Specific mailboxes

  1. Pingback: SharePoint and Graph API APP only permissions for Selected Sites | Tech Wizard

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s