Forum Discussion
Solved
ApplicationAccessPolicy vs Azure Automation Account
Hi all.
I have an Azure Automation Account (AAA) with enabled system managed identity. I added Graph API permission Mail.Send (application) to this identity and in script I'm able to send behalf of any email mailboxes. It works correctly.
I want to restrict this AAA to specific mailboxes. So, I followed the Limiting application permissions to specific Exchange Online mailboxes - Microsoft Graph | Microsoft Learn. I created Service Principal for AAA by "New-ServicePrincipal" command and created new Application Access Policy.
When I test it via Test-ApplicationAccessPolicy command I see correct result.
But AAA is still able to send an email behalf of an email mailbox. Do you have the same experience?
You should be using the AppId value when creating the policy, not the objectId. Also, keep in mind that Application access policies are going away in the future, consider using the RBAC for applications method instead: https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac
2 Replies
You should be using the AppId value when creating the policy, not the objectId. Also, keep in mind that Application access policies are going away in the future, consider using the RBAC for applications method instead: https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac
Yeah... it works correctly. A bit confusing is that I don't have to assign the Mail.Send right like the other Graph API rights, but just assign RBAC roles.
