Restrict Azure App Permissions to Specific mailboxes only
With Microsoft disabling basic Authentication starting October 1st 2022, I see a lot of vendors asking us IT Pro’s to create an Azure App registration with mailbox permissions to read out just a single mailbox. However, by default this Azure App grants permissions to every single mailbox in your Exchange Online environment.
How to lock it down?
You probably think, I’ve already created the Azure App registration, and granted the permissions, but how can I make sure that only the required mailbox can be read by this app?
We can solve your security problem with an Application Access Policy.
STEP 1: Get the application ID
From your app get the Application (client) ID.
STEP 2: Create security group
Now in the Exchange Online Portal create a Mail security Group, and now add the mailboxes to this group that needs to be accessed by the Azure App.
STEP 3: Create the Application Access Policy
Now connect to Exchange Online with connect-exchangeonline commandlet.
New-ApplicationAccessPolicy -AppId 931f4aa3-dfa3-415e-9e0f-95a9d3cc8cbb -PolicyScopeGroupId email@example.com -AccessRight RestrictAccess -Description “Restrict this app to members of distribution group mailaccessgroup”
STEP 4: Test the policy
You can test the policy by running the following command
Test-ApplicationAccessPolicy -Identity firstname.lastname@example.org -AppId 931f4aa3-dfa3-415e-9e0f-95a9d3cc8cbb
It will show access denied if mailbox is not member of the group
And it will show granted when true: