Access control for Azure Active Directory Application to EWS mailboxes
I'm uncertain if this is in the correct place, so please bear with me. We are currently in process of migrating our Exchange environment from On-Premise to Exchange 365. Our developer team has an on premise application that uses EWS to read mailbox contents, then delete those messages. We were able to create an application registration in Azure Active Directory, and are able to access our mailboxes in 365 through impersonation and read contents - Our application is using OAuth with certificate authentication (no login credentials), and we have granted our Application the Use Exchange Web Services with full access to all mailboxes rights. The problem, however, is that we don't want this application to be able to access all mailboxes, only a specific set of mailboxes. Currently it is able to access any mailbox. My question is how can we properly secure this application to only be able to access mailboxes that we specify? I've seen different suggestions on scoping and roles, but have not been able to find a definitive answer. If we do not use OAuth, and use user credentials to log into EWS, we have a means of defining write scope in Exchange 365, which will limit that impersonation access. I've been unable to find similar means when using OAuth with a certificate, and not using specific login credentials. If anyone can provide some help or direction here, it would be greatly apprediated. Please let me know if any additional details are required.
Azure- and O365-Architecture for Affiliated Group Companies
My enterprise (an affiliated group of several manufacturing companies) is at a conceptual design phase of adopting Office 365 and Azure. The individual companies share very little in common. Actually it is quite usual in our industry to sell a complete company to another group. So with the time it is likely that single companies from our group will leave and others will join. Nevertheless there are decision makers who wish that all companies share the same domain which gives us (the IT departments of the individual companies) quite some headache. One perhaps important note: They are primarily thinking in "Email-Addresses". Meaning we shall at least share the same Email Domains. So my Questions are: What drawbacks do we have to consider having one single tenant? What drawbacks do we have to consider having multiple tenants? Is there a way to share one Domain for Emails while each affiliated company can have their own tenant?