Update 7/31/2023: This feature has been fully released (is not in preview anymore).
If, as an administrator, you’ve ever consented to app-only permissions like Mail.Read in Azure Active Directory (Azure AD), you are likely familiar with the coarse-grained nature of these permissions. Access is granted at a tenant-wide resource scope which leads to over-privileged applications.
Today, we are excited to announce the Public Preview of Role Based Access Control (RBAC) for Applications in Exchange Online. The Preview introduces a new set of resource-scoped permissions for Exchange Online to help you better protect access to your tenant’s data. Scoped access covers email, contacts, and calendar data using Microsoft Graph or Exchange Web Services APIs. This continues our support of customers pursuing the principle of least privileged access to their data.
How RBAC for Applications Works
RBAC for Applications allows admins to grant permissions using a role assignment to an application that accesses Exchange Online data without user involvement. Admins can limit the data an application can access using a resource scope. This feature extends our current RBAC model and will replace the current Application Access Policy feature.
The core of this model is the role assignment configuration that expresses an admin’s intent to allow an app (in this case, a Service Principal representing an application within a tenant) to perform some action against a set of target resources. For example an admin might use a Management scope to allow a room booking system to access calendar data in specific regions, as illustrated below.
New-ManagementScope -Name "Canadian employees" -RecipientRestrictionFilter "CustomAttribute1 -eq '012332'"
New-ManagementRoleAssignment -App 6233fba6-0198-4277-892f-9275bf728bcc -Role "Application Calendars.Read"
-CustomResourceScope "Canadian Employees"
Permissions assigned using this feature are constrained to a subset of mailboxes within a tenant. The Preview provides two resource scoping mechanisms, both of which are supported by Exchange RBAC: management scopes, and admin units. Management scopes are defined in Exchange Online and admin units are defined in Azure AD. Both scopes define subsets of Exchange data, as illustrated below.
Preview Details
The Preview is now available to all customers in our worldwide multi-tenant environment, and we expect to reach general availability in H1 2023. During the Preview, management is available using Exchange Online PowerShell. Management will be available using Microsoft Graph PowerShell and the Azure Active Directory admin center in 2023.
For our larger customers, we’ve designed RBAC for Applications to support a scalable number of apps per tenant to address the limits of Application Access Policies which support a maximum of 300 apps per tenant.
Service Principals representing apps must be manually created in Exchange Online during the Preview, but this process will be automated to offer a more efficient user experience at GA. For the Preview, you should consider the Service Principal in Exchange Online to be a pointer to a Service Principal in Azure AD. Azure AD manages Service Principal registrations within tenants, so the Azure Active Directory admin center, MS Graph PowerShell, or the Azure CLI can be used to create and manage them.
Application Access Policies and RBAC for Applications are compatible for side-by-side use, though our intention is to deprecate Application Access Policies after RBAC for Applications becomes GA. Application Access Policies constrain permissions consented in Azure AD, while RBAC for Applications offers a new method for granting constrained permissions directly within Exchange Online.
Unified Management Experience
Though the Preview uses only Exchange Online PowerShell, we will be introducing a unified management experience for application permissions in 2023 to avoid fragmenting permission grant experiences across multiple places.
To ensure admins have a consolidated view of app permissions, we will be surfacing the permissions granted in Exchange Online in an Azure AD admin experience. Resource-scoped permissions will be shown with tenant-wide permissions grants using the Microsoft Graph API as detailed below.
Permission |
Scope Type |
Resource Scope |
Mail.Read |
Exchange Management Scope |
Employees in Canada |
Calendars.Read |
Tenant |
Tenant |
Contacts.Read |
Admin Unit |
Employees in the EU |
Permissions consent workflow for developers and admins
We also plan to leverage the power of Azure’s developer-administrator management experience by allowing these more granular permissions to be requested by app developers and granted by administrators in an app management experience within Azure AD.
Our goal is to provide a high degree of scoping flexibility within Exchange Online and other Microsoft services while also fulfilling admin needs for visibility and developer needs for resource-scoped app permissions.
Start securing your tenant by using resource-scoped permissions today, instructions are available here: Preview documentation.
Share your feedback on the Preview with us at exoapprbacpreview@microsoft.com, we’re excited to hear about your experiences using this feature and discuss any granular access needs it leaves on the table.
The Exchange Online Team
You Had Me at EHLO.