3

I have an Azure integrated service application (daemon app) with permissions to the Microsoft graph api, I can now read all the mailboxes for the entire company, which is awesome but might raise some concerns with the business management. We use Outlook in Office 365.Is there a way to specify mailboxes that the app can have access to instead of having access to all mailboxes/users.

Kaptein Babbalas
  • 1,058
  • 12
  • 15

2 Answers2

5

This Microsoft doc appears to give the answer Scoping application permissions to specific Exchange Online mailboxes https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access

Administrators who want to limit the app access to a specific set of mailboxes can use the New-ApplicationAccessPolicy PowerShell cmdlet to configure access control. This article covers the basic steps to configure an application access policy.

Ren Rutgerg
  • 51
  • 1
  • 3
1

The daemon app which use the client credential to acquire the access token.

The client credential flow is used to as an authorization grant typically when the client is acting on its own behalf. And it is not able to specify mailboxes that the app can have access.

You can achieve this by implement the business logic in the daemon app.

Fei Xue
  • 14,369
  • 1
  • 19
  • 27
  • Thanks, so a daemon app has access to everything or nothing. Thanks for clearing that up. – Kaptein Babbalas Sep 21 '16 at 05:09
  • Yes, you were right. Based on my understanding, the daemon app should run on a 'safe' environment. We are not necessary to worry about token leakage. So limit the resource accessing in the business logic should work in this scenario. – Fei Xue Sep 21 '16 at 07:58
  • @FeiXue I am curious if instead of doing business logic it is possible have user opt-in using consent (ref: https://learn.microsoft.com/en-us/graph/permissions-reference) ? Even if business logic protects again it, there is still a big security whole. If there is a bug in the business logic OR rogue user, they will potentially be able to access ALL of the emails for ALL mailboxes and there no way for end-customers to protect again that (but maybe with consent feature?) – Chicago Dec 14 '18 at 16:06
  • 1
    @FeiXue - I think what you wanted is possible using https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access - which allows to specify mailboxes to which app will have access to. I think even if your logic in the daemon app offers controls, customer still might want to have independent way to control who the app has access to? Let me know if this is helpful. – Chicago Sep 06 '19 at 15:13