To grant Office 365 Exchange Online permissions to the new Application Registration:
On the leftmost pane, select API Permissions. On the Configured permissions page that appears, select Add a permission.
On the Request API permissions pane that appears to the right, select APIs my organization uses.
In the search field, enter Office, and select Office 365 Exchange Online.
Select the required type of permissions:
For a certificate-based connection:
Select Application Permissions.
Under Select permissions, expand Other permissions.
Select the check box to the left of full_access_as_app and Use Exchange Web Services with full access to all mailboxes.
At the bottom of the pane, select Add permissions.
For a client secret-based connection:
Select Delegated Permissions.
Under Select permissions, expand EWS.
Select the check box to the left of EWS.AccessAsUser.All and Access mailboxes as the signed-in user via Exchange Web Services.
At the bottom of the pane, select Add permissions.
Result: The rightmost pane disappears. The Configured permissions page appears and displays the item that you added permissions to.
Select the app that you added permissions to, and then select Grant admin consent.
For an example, the screen shot displays a delegated permission.
Note: The right pane, Request API permissions, reappears.
On the Office 365 login window that appears, log in as the same user as when you logged in to the Azure portal.
Result: You are brought back to the right pane, Request API permissions.
Close the right pane.
Result: The Status column now displays "Granted for ...".
Step d: Limit the scope of mailboxes that the Riva app has access to
Depending on which use case applies to your organization, you may or may not need to add (assign) the users who will be using OAuth in the Riva connection to Office 365.
Use case
Description
Action to Take
#1
Impersonation is used - permissions are granted to a service account that is configured to have impersonation access to other mailboxes.
Recommendation: Add the subset of users in a security group in the Azure Application and add it to the -PolicyScopeGroupId arguments.
Note: Changes to application access policies can take longer than 1 hour to take effect, even when Test-ApplicationAccessPolicy shows positive results.
Step e: Create the Connection in Riva
Do one of the following:
Use case
Description
Action to Take
#1
Impersonation is used - permissions are granted to a service account that is configured to have impersonation access to other mailboxes.