How to allow AAD App with Application Permissions to access specific email boxes

Overview

I created Send email on behalf of a service account using Office Graph API long time ago to showcase how to leverage an AAD App to send email via Graph API. I leveraged an AAD App with Application permission to send email on behalf of any email accounts within a tenant. Since this approach can access any email accounts, it actually provided “Too much” privileges and introduced security concerns for a tenant. The application built on this approach can be rejected by a enterprise’s security team based on this security concerns. How can an AAD App get access to email accounts without accessing entire tenant? Graph API introduced Scoping application permissions to specific Exchange Online mailboxes which helped us to balance the requirement and security. Let’s look at how to implement that.

Create an AAD App

Let’s create an AAD App.

  • Access Azure Active Directory in your tenant
  • Create a AAD App by clicking “App registrations”->”New registration” button. Give the name and select the account access type (single tenant or multitenant). You don’t need to provide “Redirect URL” since we are going to use “Application Permission”
  • We need to create “Client Secrets” since we are going to use Client Credential Flow to get token. Go to “Certificate & secrets” tab and click “New client secret” button under “Client secrets” section to create a secret. give a name and expiration for your secret.
  • Grant the permission to access EXO via Graph API. Go to “API permissions”-> “Add a permission” to bring up the “Request API permissions” panel. Select “Microsoft Graph”, choose “Application permissions” and select the permission you like for “Mail” section. Since this is application permission, all the permissions require a admin to consent.
  • Once you added the permissions, you need to consent the permission since the most of “Application Permissions” have higher privileges and require admin consent. After you consent the permissions, you can “Granted for [tenant]” message showed at each of the permissions. Now your AAD App should be able to access EXO with “Application Permissions”

Create Mail enabled Security Group

In order to create Application Access policy, we need to first to create a security group inside EXO. this security group needs to be a mail enabled security group. You can follow up Create mail-enabled security groups to create a mail enabled security group from EXO admin center.

Once you have security group, you can include your mail account to the group’s membership tab.

Create Application Access Policy

After you created a mail-enabled security, we can create an Application Access Policy for EXO to just allow the AAD App to access this security group.

#get connection credential
$UserCredential = Get-Credential
#create a remote PS Session to connect to your EXO
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
#use the remote PS session
Import-PSSession $Session -DisableNameChecking
  • After you start EXO remote PS session, you can run get-mailbox cmdlet to test that. you should be able to get all the mailbox in your tenant.
  • run the following cmdlet to add the application access policy

AppId: the AAD App you created.

PolicyScopeGroupId: the mail-enabled security group. ApplicationAccessPolicyGroup@contoso.com

New-ApplicationAccessPolicy -AppId [AppId] -PolicyScopeGroupId [securitygroupaddress] -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group."
  • you can run the following command to test your AAD App by providing a email account which you want to test. for our case, we add AllanD to the that security group and the test result shows that the AAD App can access that. From the other hand, when I provided additional email, the access is denied.

Test that from PostMan

the follow is the screenshot from the Postman when we access those mail box using Application permission.

When I access the alland email, I got all the mail box information from Graph API.

When I access the frank email, I got the “ErrorAccessDenied” error.

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

10 Truths to Know for Building HIPAA Compliant Software

Asset Tracking: The Killer IoT App

How to Solve the Legal, Privacy and Security issues when you choose Cloud Services

Best Web Hosting

GMP financial investigation team returns £2m to victims in six months

GMP financial investigation team returns £2m to victims in six months

Honeypot: North California

HackTheBox — Admirer

5 things every Healthcare CIOs need to know

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Frank Chen

Frank Chen

More from Medium

OFAC Checker: A no-code platform for instant OFAC compliance check

The One Where I got Acquainted with AE Scripting

Virtual Speaking: 10 Stats You Need To Know

Address cleansing & geocoding for parcel delivery logistics

| Parcel delivery driver in front mobile device with map and pin