Forum Discussion
Solved
What does "all mailboxes" really mean in Teams app permissions?
An end user requested that I grant admin consent to a Team app's permissions. When I looked at the app, here's what I found:
This app says it wants full access to ALL mailboxes without a signed in user. Nobody in their right minds would ever grant any Teams app such an extraordinary level of access to their organization!
But does that actually mean what it says? I have discovered that some of these permission descriptions don't actually mean they say and none of Microsoft's documentation seems to provide any clarity. Will consenting to this request actually grant full access to every mailbox in my organization?
- Those are excessive permissions indeed, you're right to doubt them. What does the app claim to do? If it's anything related to Calendaring, EWS is a valid scenario still. The problem with this permission scope is that it gives you unrestricted access across all mailboxes, not limiting it to Calendar items/operations though. You can restrict which mailboxes will be under its scope (https://practical365.com/new-application-access-policies-extend-support-for-more-scenarios/), but no way to restrict the operations themselves.
3 Replies
- Those are excessive permissions indeed, you're right to doubt them. What does the app claim to do? If it's anything related to Calendaring, EWS is a valid scenario still. The problem with this permission scope is that it gives you unrestricted access across all mailboxes, not limiting it to Calendar items/operations though. You can restrict which mailboxes will be under its scope (https://practical365.com/new-application-access-policies-extend-support-for-more-scenarios/), but no way to restrict the operations themselves.
- How do you expect it to see and put things on people calendars? Service account access to all mailboxes is a pretty common thing. Just about every Exchange Server has a Blackberry account.
- This isn't a service account. It's a Teams app.
