How to allow AAD App with Application Permissions to access specific email boxes

4 min readAug 6, 2020

Overview

I created Send email on behalf of a service account using Office Graph API long time ago to showcase how to leverage an AAD App to send email via Graph API. I leveraged an AAD App with Application permission to send email on behalf of any email accounts within a tenant. Since this approach can access any email accounts, it actually provided “Too much” privileges and introduced security concerns for a tenant. The application built on this approach can be rejected by a enterprise’s security team based on this security concerns. How can an AAD App get access to email accounts without accessing entire tenant? Graph API introduced Scoping application permissions to specific Exchange Online mailboxes which helped us to balance the requirement and security. Let’s look at how to implement that.

Create an AAD App

Let’s create an AAD App.

Access Azure Active Directory in your tenant
Create a AAD App by clicking “App registrations”->”New registration” button. Give the name and select the account access type (single tenant or multitenant). You don’t need to provide “Redirect URL” since we are going to use “Application Permission”

We need to create “Client Secrets” since we are going to use Client Credential Flow to get token. Go to “Certificate & secrets” tab and click “New client secret” button under “Client secrets” section to create a secret. give a name and expiration for your secret.

Grant the permission to access EXO via Graph API. Go to “API permissions”-> “Add a permission” to bring up the “Request API permissions” panel. Select “Microsoft Graph”, choose “Application permissions” and select the permission you like for “Mail” section. Since this is application permission, all the permissions require a admin to consent.

Once you added the permissions, you need to consent the permission since the most of “Application Permissions” have higher privileges and require admin consent. After you consent the permissions, you can “Granted for [tenant]” message showed at each of the permissions. Now your AAD App should be able to access EXO with “Application Permissions”

Create Mail enabled Security Group

In order to create Application Access policy, we need to first to create a security group inside EXO. this security group needs to be a mail enabled security group. You can follow up Create mail-enabled security groups to create a mail enabled security group from EXO admin center.

Once you have security group, you can include your mail account to the group’s membership tab.

Create Application Access Policy

After you created a mail-enabled security, we can create an Application Access Policy for EXO to just allow the AAD App to access this security group.

Follow Connect to Exchange Online to connect to EXO remote session. The following is the screenshot for a remote EXO PS session.

#get connection credential
$UserCredential = Get-Credential#create a remote PS Session to connect to your EXO
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection#use the remote PS session
Import-PSSession $Session -DisableNameChecking

After you start EXO remote PS session, you can run get-mailbox cmdlet to test that. you should be able to get all the mailbox in your tenant.

run the following cmdlet to add the application access policy

AppId: the AAD App you created.

PolicyScopeGroupId: the mail-enabled security group. ApplicationAccessPolicyGroup@contoso.com

New-ApplicationAccessPolicy -AppId [AppId] -PolicyScopeGroupId [securitygroupaddress] -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group."

you can run the following command to test your AAD App by providing a email account which you want to test. for our case, we add AllanD to the that security group and the test result shows that the AAD App can access that. From the other hand, when I provided additional email, the access is denied.