Blog Post

Exchange Team Blog
1 MIN READ

Announcing OAuth 2.0 Client Credentials Flow support for POP and IMAP protocols in Exchange Online

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Jun 30, 2022
Today, we’re excited to announce the availability of OAuth 2.0 authentication via client credentials grant flow for the POP and IMAP protocols for accessing Exchange Online mailboxes. Applications ...
Updated Jun 30, 2022
Version 2.0
announcements
development
exchange online
security
JeremyTBradshaw's avatar
JeremyTBradshaw
Iron Contributor
Oct 28, 2024

The_Exchange_Team and anyone else savvy on this topic... I'm wondering about scoping of access to specific mailboxes for "Office 365 Exchange Online" > "Application Permissions" > "SMTP" > "SMTP.SendAsApp".

 

In the Entra UI, we're told this permission allows the app to have send access to all mailboxes.  That seems inline with typical Application Permissions.

But then the documentation states that we need to create the EXO-side service principal to match-up with the Entra ID service principal, and then grant the EXO-side SPN FullAccess/Send-As to grant the necessary access.

 

This seems to be outside the lanes of RBAC for Applications in Exchange Online, as well as Application Access Policies.  The question is - can we truly, safely assume that only the mailboxes which have granted FullAccess/Send-As will be accessible to these application permission versions of IMAP.AccessAsApp, POP.AccessAsApp, and SMTP.AccessAsApp?

 

Thanks in advance.