Restrict APP Only Permissions to Specific mailboxes

This has been released by Microsoft a year or two ago but still many administrators are not aware about it.

Problem Statement: Administrators do not want to provide app only permissions as it can grant blanket rights to every mailbox in the organization.

Workaround: Administrators use to provide delegated rights, but many applications does not work with that and requires APP only permissions.

Solution: Limit the application permissions to Specific Mailboxes.

This is possible now by utilizing Application Access Policy, let us follow below approach:

After you have registered the APP in AzureAD and provided exchange permissions note its application ID:

Below permissions are supported:

Now create a mail security group and add the mailboxes which you want to restrict access as members.

Create the Application Access policy after that:

New-ApplicationAccessPolicy -AppId 06419c45-45ge-47e8-b56c-b734acrg4504 -PolicyScopeGroupId -AccessRight RestrictAccess -Description “Restrict this app to members of distribution group powershellaccessgroup”

You can check this by using Get-ApplicationAccessPolicy à it will show all the policies created.

You can test the policy as well by using:

Test-ApplicationAccessPolicy -Identity -AppId 06419c45-45ge-47e8-b56c-b734acrg4504

It will show access denied if mailbox is not member of the group

If mailbox is member of group, then it will show access granted

You can use different permission as well, instead of restrict access use deny access which means it will deny access to the mailboxes that are member of the group.

New-ApplicationAccessPolicy -AppId 06419c45-45ge-47e8-b56c-b734acrg4504 -PolicyScopeGroupId -AccessRight DenyAccess -Description “Restrict this app to members of distribution group powershellaccessgroup”


Reference: Limiting application permissions to specific Exchange Online mailboxes



Thanks for reading…………

Tech Wizard


One thought on “Restrict APP Only Permissions to Specific mailboxes

  1. Pingback: SharePoint and Graph API APP only permissions for Selected Sites | Tech Wizard

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s