Scoping Microsoft Graph application permissions to specific Exchange Online mailboxes
Published Jun 05 2019 11:52 AM 32.4K Views

Today we’re excited to announce the release of the Application Access Policy feature for Exchange Online PowerShell. This feature allows Exchange Online administrators to scope application permissions for Microsoft Graph to allow access to specified mailboxes in their Office 365 tenant.

Why would you need to do this? Well, imagine Contoso, an Office 365 customer that has thousands of employees spread across multiple departments. Contoso has built and deployed an appointment booking app that helps their customers book service appointments with specialist technicians employed by the company.

The app Contoso built uses Microsoft Graph to identify free appointment times on the technicians’ calendars and uses them to book appointments. Because the app requires access to multiple technicians’ mailboxes, it uses the OAuth 2.0 client credentials grant flow, and application permissions were granted to it, enabling the app to access all mailboxes in the organization, not just the mailboxes belonging to technicians.

Using Application Access Policies, Contoso administrators can now restrict the app’s access to only the technicians’ mailboxes via a security group, and disallow its access to other mailboxes.

You can use the following steps to configure an application access policy. These steps are specific to Exchange Online resources and do not apply to other Microsoft Graph workloads.

  1. Connect to Exchange Online PowerShell. For details, see Connect to Exchange Online PowerShell (or use Azure Cloud Shell!)
  2. Identify the app’s client ID and a mail-enabled security group to use for controlling the app’s access.
    • Identify the app’s application (client) ID in the Azure app registration portal.
    • Create a new mail-enabled security group or use an existing one and identify the email address for the group.
  3. Create an application access policy.
    • Run the following command, replacing the AppIdPolicyScopeGroupId, and Description arguments for your own values.
New-ApplicationAccessPolicy -AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b -PolicyScopeGroupId EvenUsers@contoso.com -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group EvenUsers."

You can use the following links to learn more about this feature.

Additional resources

Scoping application permissions to specific Exchange Online mailboxes

New-ApplicationAccessPolicy

Get-ApplicationAccessPolicy

Remove-ApplicationAccessPolicy

Set-ApplicationAccessPolicy

Test-ApplicationAccessPolicy

 

Please let us know if you have additional feedback about Microsoft Graph or suggestions for new functionality.

The Exchange Team

11 Comments
Copper Contributor

Great news !!

Copper Contributor

This is awesome, definitely needed!  Thanks!

Copper Contributor

@The_Exchange_Team This is fantastic news... I have a couple of questions:

 

1. Does this apply only to apps using Application Permissions to access mailboxes (e.g. admin approved apps that have access to every mailbox in the tenant)? Or could it also be used to scope access granted to apps using delegated permissions? For example, if users (unwittingly) grant delegated permissions for a registered app to access their Exchange Calendar, can we as administrators, restrict that access to only members of an approved group using this new application access policy?

 

2. Do the application access policies support nested security groups or are they limited to flat groups?

Brass Contributor

Game Changer !

Microsoft

This is wonderful.  I almost cried when I read this article.  Please spread the word everywhere.

@Stuart Chapman - glad you like it.

For apps with delegated permissions, users can be granted access using the Azure Active Directory pages in the Azure portal and at this time, you have to update all the security groups, nesting is not supported. 

 

Microsoft

@The_Exchange_Team Just covered this in a Technical Update Briefing for a customer and had a couple questions:

 

1. Is this a 1:1 setup where you can only have 1 policy per group?

2. Is there a limitation to how many people can be in a group? 

 

I'm assuming there is no limitation other than the standard group size limit but want to double check before I get back to them. Glad this is out now!

Copper Contributor

@Greg Taylor - EXCHANGE  Just to be clear, does this mean delegated permission are restricted by this?

Or not because each user can consent or not themselves?

 

Brass Contributor

Great feature....now need similar features for other services like SPO and Teams

Copper Contributor

This is not working for AzureAD App Registrations, correct?

Copper Contributor

@wcbuerste I tried to do this aswell. However, doesn't seem like work for App registration.

Maybe, I was doing it wrongly. You got any update regarding this?

Version history
Last update:
‎Jun 05 2019 11:07 PM
Updated by: