Forum Discussion
Primer: How to Use RBAC for Applications to Control App Use of the Mail.Send Permission
The temptation to use the Mail.Send application permission in scripts can lead PowerShell developers into trouble because the permission allows access to all mailboxes, including sensitive executive and financial mailboxes. Fortunately, RBAC for Applications allows tenants to control the access that apps have to mailboxes and other Exchange content. All explained here with an example script to test RBAC of Applications.
https://office365itpros.com/2026/02/17/mail-send-rbac-for-applications/
4 Replies
Think of Mail.Send as the Tez Mirch (extra spice)—if you throw it into the Entra ID pot globally, it ruins the whole dish by giving the app access to every sensitive mailbox. Instead, you must follow a proper RBAC recipe: first, register your app but keep the Entra ID permissions bland (no Mail.Send there); then, prepare your base by creating a Service Principal in Exchange Online. Next, define a Management Scope—this is like your Thali boundary, ensuring the app only tastes specific mailboxes. Finally, stir in the New-ManagementRoleAssignment to grant the Application Mail.Send role strictly within that scope. Now your automation is perfectly seasoned—powerful enough to do its job, but restricted so it doesn't touch the CEO's "Premium Biryani" emails. Should I send over the PowerShell masala (code) so you can start cooking, or do you want to test the flavor first?
Thanks for sharing..! TonyRedmond
Thanks for sharing..! TonyRedmond
Thanks for sharing..! TonyRedmond
