How to restrict the set of users in an Azure directory for OAuth2.0 authentication token

%3CLINGO-SUB%20id%3D%22lingo-sub-2370420%22%20slang%3D%22en-US%22%3EHow%20to%20restrict%20the%20set%20of%20users%20in%20an%20Azure%20directory%20for%20OAuth2.0%20authentication%20token%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2370420%22%20slang%3D%22en-US%22%3E%3CP%3EBackground%3A%3CBR%20%2F%3EWe%20are%20trying%20to%20replace%20the%20basic%20authentication%20with%20Oauth2.0%2C%20and%20created%20a%20%22workable%22%20solution%20with%20below%20steps%20%5B1%5D%3A%3CBR%20%2F%3E1.register%20application%20(%3CSTRONG%3ETestApp%3C%2FSTRONG%3E%20for%20example)%20in%20Azure%20AD%20with%20some%20application%20permissions%3A%20Mail.read%20(Microsoft%20Graph)%20and%26nbsp%3B%3CSPAN%3Efull_access_as_app%20(Office%20365%20Exchange%20Online)%3CBR%20%2F%3E%3C%2FSPAN%3E2.Grant%20admin%20consent%20for%20AD%3CBR%20%2F%3E3.Add%20code%20to%20get%20authentication%20token%20by%20using%20client%20credential%20provider%3C%2FP%3E%3CP%3E4.Add%20token%20to%20EWS%20request%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20issue%20we%20found%20is%20every%20user%20under%20this%20Azure%20AD%20can%20fetch%20email%20from%20mailboxes%20with%20requested%20token%20by%20using%20%3CSTRONG%3ETestAPP%3C%2FSTRONG%3E's%20data%3A%20client_id%2C%20client_secret%2C%20tenant_id.%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20there%20any%20way%20to%20restrict%20the%20set%20of%20users%20in%20this%20Azure%20AD%20to%20request%20the%20authentication%20token%3F%3CBR%20%2F%3EThe%20%3CSTRONG%3E%22Enable%26nbsp%3B%3C%2FSTRONG%3E%3CSTRONG%3EUser%20assignment%20required%22%3C%2FSTRONG%3E%26nbsp%3Bmethod%5B2%5D%20didn't%20solve%20the%20issue%20as%20all%20users%20under%20Azure%20AD%20can%20fetch%20the%20emails%20with%20auth%20token%20acquired%20by%20using%26nbsp%3B%3CSTRONG%3ETestAPP%3C%2FSTRONG%3E's%20data.%3CBR%20%2F%3E%3CBR%20%2F%3EPlease%20let%20me%20know%20if%20anyone%20has%20any%20advices%20for%20this%20issue%2C%20thanks%20in%20advance!%3CBR%20%2F%3E%3CBR%20%2F%3EReference%3A%3C%2FP%3E%3CP%3E%5B1%5D%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclient-developer%2Fexchange-web-services%2Fhow-to-authenticate-an-ews-application-by-using-oauth%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclient-developer%2Fexchange-web-services%2Fhow-to-authenticate-an-ews-application-by-using-oauth%3C%2FA%3E%3CBR%20%2F%3E%5B2%5D%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclient-developer%2Fexchange-web-services%2Fhow-to-authenticate-an-ews-application-by-using-oauth%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fhowto-restrict-your-app-to-a-set-of-users%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Background:
We are trying to replace the basic authentication with Oauth2.0, and created a "workable" solution with below steps [1]:
1.register application (TestApp for example) in Azure AD with some application permissions: Mail.read (Microsoft Graph) and full_access_as_app (Office 365 Exchange Online)
2.Grant admin consent for AD
3.Add code to get authentication token by using client credential provider

4.Add token to EWS request

The issue we found is every user under this Azure AD can fetch email from mailboxes with requested token by using TestAPP's data: client_id, client_secret, tenant_id.

Is there any way to restrict the set of users in this Azure AD to request the authentication token?
The "Enable User assignment required" method[2] didn't solve the issue as all users under Azure AD can fetch the emails with auth token acquired by using TestAPP's data.

Please let me know if anyone has any advices for this issue, thanks in advance!

Reference:

[1] https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate...
[2] https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-...


0 Replies