Update: please see our updated blog post on this subject.
Today we are announcing that we will begin blocking the assignment of the ApplicationImpersonation role in Exchange Online to accounts star...
Updated Nov 22, 2024
Version 12.0
Blog Post
I have implemented this with client credentials flow and it works fine as long as I use - full_access_as_app in API permissions in Azure portal. It grants tenant wide access to all mailboxes and CustomResourceScope setting in exchange does take effect.
Also, when I remove full_access_as_app in azure portal and only use the ManagementRoleAssignment in exchange, it is able to get the token but on binding to the root folder (using EWS) - returns 403 forbidden exception. I have assigned the following roles in exchange:
1. New-ServicePrincipal -AppId $clientId -ObjectId $objectId -DisplayName "Mailbox Migration App"
2. New-ManagementRoleAssignment -App $objectId -Role "Application EWS.AccessAsApp" -CustomResourceScope "User Mailboxes"
3. New-ManagementScope -Name $MgmtScopeName -RecipientRestrictionFilter "RecipientType -eq 'UserMailbox'"
OR
3. New-ManagementScope -Name $MgmtScopeName -RecipientRestrictionFilter "Name -eq 'DiegoS'"
Basically the setup doesnt work if not using full_access_as_app and there is no way to restrict scope. What am I doing wrong here (I am using managed EWS api c#)?