Microsoft Graph: Limiting Azure Application Scope permissions to specific Exchange Online mailboxes

When using "Application Scoped" permissions, there is a common concern that the application itself will have access to all mailboxes.

There are controls specific to Microsoft Exchange Online resources and do not apply to other Microsoft Graph workloads.

For the specific Exchange Online scopes, it is possible to limit the "Application Scoped" permission to specific Users and Mailboxes by using the "Exchange Application Access Policy."

The following details outline how organizations can limit the Application Scope permissions to a specific set of mailboxes outlined by Microsoft here.

Please refer to  Microsoft Graph: Permissions and Granting Consent article.

Background

In many cases, when deploying an Azure application with access to Exchange Online, administrators want to limit an app's access to only specific mailboxes and not to all Exchange Online mailboxes in the organization.

Administrators can identify the set of mailboxes to permit access by putting them in a mail-enabled security group. Administrators can then limit third-party app access to only that set of mailboxes by creating an application access policy for access to that group.

Configure ApplicationAccessPolicy

To configure an application access policy and limit the scope of application permissions:

1. Connect to Exchange Online PowerShell. For details, see Connect to Exchange Online PowerShell.

2. Identify the app’s client ID and a mail-enabled security group to restrict the app’s access.

   • Identify the app’s application (client) ID in the Azure app registration portal.
     • Identify Application (client) ID
   • Create a new mail-enabled security group or use an existing one and identify the email address for the group.

3. Create an application access policy.

   Run the following command, replacing the arguments for AppId, PolicyScopeGroupId, and Description.

New-ApplicationAccessPolicy -AppId 2be6f96c-9175-4977-bd87-d6cb0dc230bc -PolicyScopeGroupId EvenUsers@contoso.com -AccessRight RestrictAccess  -Description "Restrict this app to members of distribution group EvenUsers."

Test the newly created application access policy.

4. Run the following command, replacing the arguments for Identity and AppId.

Test-ApplicationAccessPolicy -Identity user1@contoso.com -AppId 2be6f96c-9175-4977-bd87-d6cb0dc230bc

The output of this command will indicate whether the app has access to User1’s mailbox.

Note: Changes to application access policies can take longer than 1 hour to take effect in Microsoft Graph REST API calls, even when Test-ApplicationAccessPolicy shows positive results.

Permissions that Can be Limited

For the specific Exchange Online scopes, it is possible to limit the "Application Scoped" permission to specific Users and Mailbox by using the "Exchange Application Access Policy."

Administrators can use ApplicationAccessPolicy cmdlets to control mailbox access of an app that has been granted any of the following Microsoft Graph application permissions or Exchange Web Services permissions.

The Application Scoped permissions that are supported by the "Application Access Policy" include:

Microsoft Graph Exchange Online scopes:

• Mail.Read
• Mail.ReadBasic
• Mail.ReadBasic.All
• Mail.ReadWrite
• Mail.Send
• MailboxSettings.Read
• MailboxSettings.ReadWrite
• Calendars.Read
• Calendars.ReadWrite
• Contacts.Read
• Contacts.ReadWrite

Microsoft Exchange Online for Exchange Web Services scopes:

• full_access_as_app.