Restrict Azure App Permissions to Specific mailboxes only

With Microsoft disabling basic Authentication starting October 1st 2022, I see a lot of vendors asking us IT Pro’s to create an Azure App registration with mailbox permissions to read out just a single mailbox. However, by default this Azure App grants permissions to every single mailbox in your Exchange Online environment.

How to lock it down?

You probably think, I’ve already created the Azure App registration, and granted the permissions, but how can I make sure that only the required mailbox can be read by this app?

We can solve your security problem with an Application Access Policy.

STEP 1: Get the application ID

From your app get the Application (client) ID.

STEP 2: Create security group

Now in the Exchange Online Portal create a Mail security Group, and now add the mailboxes to this group that needs to be accessed by the Azure App.

STEP 3: Create the Application Access Policy

Now connect to Exchange Online with connect-exchangeonline commandlet.

New-ApplicationAccessPolicy -AppId 931f4aa3-dfa3-415e-9e0f-95a9d3cc8cbb -PolicyScopeGroupId -AccessRight RestrictAccess -Description “Restrict this app to members of distribution group mailaccessgroup”

STEP 4: Test the policy

You can test the policy by running the following command

Test-ApplicationAccessPolicy -Identity -AppId 931f4aa3-dfa3-415e-9e0f-95a9d3cc8cbb

It will show access denied if mailbox is not member of the group

And it will show granted when true:

Add a Comment

Your email address will not be published. Required fields are marked *