We are excited to announce support of Client Credential Flow (CCF) for SMTP AUTH in Exchange Online. CCF for SMTP AUTH allows applications to use Modern authentication for submitting authenticated em...
Published Jul 10, 2023
Version 1.0
Blog Post
It seems to be answered in the comments here, but I am posting my same question from over here:
@The_Exchange_Team and anyone else savvy on this topic... I'm wondering about scoping of access to specific mailboxes for "Office 365 Exchange Online" > "Application Permissions" > "SMTP" > "SMTP.SendAsApp".
In the Entra UI, we're told this permission allows the app to have send access to all mailboxes. That seems inline with typical Application Permissions.
But then thedocumentation statesthat we need to create the EXO-side service principal to match-up with the Entra ID service principal, and then grant the EXO-side SPN FullAccess/Send-As to grant the necessary access.
This seems to be outside the lanes ofRBAC for Applications in Exchange Online, as well asApplication Access Policies. The question is - can we truly, safely assume that only the mailboxes which have granted FullAccess/Send-As will be accessible to these application permission versions of IMAP.AccessAsApp, POP.AccessAsApp, and SMTP.AccessAsApp?
Thanks in advance.
I guess it would be nice if the EXO RBAC for Applications and Application Access Policy guide pages made reference to the IMAP.AccessAsApp, POP.AccessAsApp, and SMTP.AccessAsApp permissions, even if just to link to the "Authenticate an IMAP, POP, or SMTP application by using OAuth" page. Just so that we could have some centralized documentation around scoping application permissions to specific mailboxes. 3 islands right now.