How to allow AAD App with Application Permissions to access specific email boxes
I created Send email on behalf of a service account using Office Graph API long time ago to showcase how to leverage an AAD App to send email via Graph API. I leveraged an AAD App with Application permission to send email on behalf of any email accounts within a tenant. Since this approach can access any email accounts, it actually provided “Too much” privileges and introduced security concerns for a tenant. The application built on this approach can be rejected by a enterprise’s security team based on this security concerns. How can an AAD App get access to email accounts without accessing entire tenant? Graph API introduced Scoping application permissions to specific Exchange Online mailboxes which helped us to balance the requirement and security. Let’s look at how to implement that.
Create an AAD App
Let’s create an AAD App.
- Access Azure Active Directory in your tenant
- Create a AAD App by clicking “App registrations”->”New registration” button. Give the name and select the account access type (single tenant or multitenant). You don’t need to provide “Redirect URL” since we are going to use “Application Permission”
- We need to create “Client Secrets” since we are going to use Client Credential Flow to get token. Go to “Certificate & secrets” tab and click “New client secret” button under “Client secrets” section to create a secret. give a name and expiration for your secret.
- Grant the permission to access EXO via Graph API. Go to “API permissions”-> “Add a permission” to bring up the “Request API permissions” panel. Select “Microsoft Graph”, choose “Application permissions” and select the permission you like for “Mail” section. Since this is application permission, all the permissions require a admin to consent.
- Once you added the permissions, you need to consent the permission since the most of “Application Permissions” have higher privileges and require admin consent. After you consent the permissions, you can “Granted for [tenant]” message showed at each of the permissions. Now your AAD App should be able to access EXO with “Application Permissions”
Create Mail enabled Security Group
In order to create Application Access policy, we need to first to create a security group inside EXO. this security group needs to be a mail enabled security group. You can follow up Create mail-enabled security groups to create a mail enabled security group from EXO admin center.
Once you have security group, you can include your mail account to the group’s membership tab.
Create Application Access Policy
After you created a mail-enabled security, we can create an Application Access Policy for EXO to just allow the AAD App to access this security group.
- Follow Connect to Exchange Online to connect to EXO remote session. The following is the screenshot for a remote EXO PS session.
#get connection credential
$UserCredential = Get-Credential#create a remote PS Session to connect to your EXO
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection#use the remote PS session
Import-PSSession $Session -DisableNameChecking
- After you start EXO remote PS session, you can run get-mailbox cmdlet to test that. you should be able to get all the mailbox in your tenant.
- run the following cmdlet to add the application access policy
AppId: the AAD App you created.
PolicyScopeGroupId: the mail-enabled security group. ApplicationAccessPolicyGroup@contoso.com
New-ApplicationAccessPolicy -AppId [AppId] -PolicyScopeGroupId [securitygroupaddress] -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group."
- you can run the following command to test your AAD App by providing a email account which you want to test. for our case, we add AllanD to the that security group and the test result shows that the AAD App can access that. From the other hand, when I provided additional email, the access is denied.
Test that from PostMan
the follow is the screenshot from the Postman when we access those mail box using Application permission.
When I access the alland email, I got all the mail box information from Graph API.
When I access the frank email, I got the “ErrorAccessDenied” error.