This has been released by Microsoft a year or two ago but still many administrators are not aware about it.
Problem Statement: Administrators do not want to provide app only permissions as it can grant blanket rights to every mailbox in the organization.
Workaround: Administrators use to provide delegated rights, but many applications does not work with that and requires APP only permissions.
Solution: Limit the application permissions to Specific Mailboxes.
This is possible now by utilizing Application Access Policy, let us follow below approach:
After you have registered the APP in AzureAD and provided exchange permissions note its application ID:
Below permissions are supported:
Now create a mail security group and add the mailboxes which you want to restrict access as members.
Create the Application Access policy after that:
New-ApplicationAccessPolicy -AppId 06419c45-45ge-47e8-b56c-b734acrg4504 -PolicyScopeGroupId powershellaccessgroup@TechWizard.cloud -AccessRight RestrictAccess -Description “Restrict this app to members of distribution group powershellaccessgroup”
You can check this by using Get-ApplicationAccessPolicy à it will show all the policies created.
You can test the policy as well by using:
Test-ApplicationAccessPolicy -Identity email@example.com -AppId 06419c45-45ge-47e8-b56c-b734acrg4504
It will show access denied if mailbox is not member of the group
If mailbox is member of group, then it will show access granted
You can use different permission as well, instead of restrict access use deny access which means it will deny access to the mailboxes that are member of the group.
New-ApplicationAccessPolicy -AppId 06419c45-45ge-47e8-b56c-b734acrg4504 -PolicyScopeGroupId powershellaccessgroup@TechWizard.cloud -AccessRight DenyAccess -Description “Restrict this app to members of distribution group powershellaccessgroup”
Thanks for reading…………