1

I'm developing an AWS Lambda function which will need to access an Outlook 365 inbox at a regular interval. I'm using Graph API for accessing the inbox.

I created a new Azure AD web application registration using the Azure Active Directory admin center.(https://aad.portal.azure.com/) When assigning API Permissions to my app, I have an option to choose between Delegated permissions and Application permissions. I can't use delegated permissions since my code will run without any user interaction.

When choosing application permissions, I can't find a way to restrict the permission to one user account. For example, if I try to give the app Mail.Read application permission, it'll get access to all mailboxes in the enterprise. Or maybe I'm interpreting the permission description incorrectly.

How do I give my app API permissions to one user's mailbox?

Azure AD App API Permissions

Aditya Kar
  • 515
  • 5
  • 12
  • 1
    Please check if this can help. https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access – Shiva Keshav Varma Mar 19 '21 at 11:45
  • Yes try the above what Shiva suggested, it will let you to limit the mailbox access. If you need help, do let me know. – Dev Mar 20 '21 at 04:05
  • Have you solved it with Shiva's comment? Any updates here? – unknown Mar 22 '21 at 01:25
  • Thank you! This looks like exactly what I need. I'm following up with our Exchange admin since I don't have permission to execute Exchange Online cmdlets. I'll post updates here. – Aditya Kar Mar 22 '21 at 06:48

2 Answers2

1

This issue was solved by Shiva's comment, add it as the answer to close the question:

Some apps call Microsoft Graph using their own identity and not on behalf of a user. For example, the Mail.Read application permission allows apps to read mail in all mailboxes without a signed-in user.

Configuring ApplicationAccessPolicy is used to limit the app access to a specific set of mailboxes.

1.Connect to Exchange Online PowerShell

Connect-ExchangeOnline -UserPrincipalName <UPN> [-ExchangeEnvironmentName <Value>] [-DelegatedOrganization <String>] [-PSSessionOption $ProxyOptions]

2.Identify the app’s client ID and a mail-enabled security group to restrict the app’s access to.

3.Create an application access policy.

New-ApplicationAccessPolicy -AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b -PolicyScopeGroupId EvenUsers@contoso.com -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group EvenUsers."

For more details about New-ApplicationAccessPolicy, see here.

unknown
  • 6,778
  • 1
  • 5
  • 14
0

Thank you Shiva and Pamela. I'll elaborate the steps for others who stumble upon this thread.

Creating a Mail-enabled group:

  1. Login to https://admin.microsoft.com/.
  2. Click on Groups > Active Groups.
  3. Click on Add a Group and select Mail-enabled security.
  4. Provide a name for the group and then a group email address.
  5. Add the shared legal mailbox as a member to this newly created group.

Registering and configuring a new app:

  1. Login to https://aad.portal.azure.com/
  2. Click on Azure Active Directory. This should bring you to your org's directory.
  3. Click on App Registrations.
  4. Click on New registration.
  5. Provide a name for the app.
  6. Select the supported account type as Single Tenant.
  7. Provide the redirect URI (web) as https://login.microsoftonline.com/common/oauth2/nativeclient
    • This might be inconsequential for your app but a redirect URI needs to be provided.
  8. Click on Register. Please copy and store the Application (client) ID and Directory (tenant) ID.
  9. Click on API Permissions and click on Add a permission.
  10. Select Microsoft Graph and select the permission type as Application permissions.
  11. From the list, select Mail.Read permission and click on Add permissions.
  12. Under Configured permissions for the app, click on Grant admin consent for your org.
  13. Click on Certificates & secrets. Click on New client secret and set the expiry, preferably to Never.
  14. Please copy and store the secret value.

Restrict the app access:

  1. Open PowerShell with elevated privileges on the Exchange Admin’s Windows machine.

  2. Allow executing scripts that are signed by a trusted publisher. Use the following command to do so.

    • Set-ExecutionPolicy RemoteSigned

  3. Install the EXO (ExchangeOnline) V2 module with the following command.

    • Install-Module -Name ExchangeOnlineManagement

  4. Load the EXO V2 module.

    • Import-Module ExchangeOnlineManagement

  5. Connect to the Exchange Online PowerShell using an admin account.

    • Connect-ExchangeOnline -UserPrincipalName admin-account@yourorg.com

  6. This should open a SSO dialog box. Sign in with the admin account.

  7. For the next step we’ll need the group email address created in step 4 and the app client ID from step 13.

  8. Restrict the app’s API permission to only the members of the group using the following command.

    • New-ApplicationAccessPolicy -AppId client-id-from-step-13 -PolicyScopeGroupId group-email-from-step-4@yourorg.com -AccessRight RestrictAccess -Description "Restrict app to group Legal Inbox."

  9. That’s it! The change to application access policies can take up to 30 minutes to take effect in Graph REST API calls.

  10. Logout of ExchangeOnline PowerShell.

    • Disconnect-ExchangeOnline
Aditya Kar
  • 515
  • 5
  • 12