SOLVED

What does "all mailboxes" really mean in Teams app permissions?

Brass Contributor

An end user requested that I grant admin consent to a Team app's permissions. When I looked at the app, here's what I found:

AppPermissions.png

This app says it wants full access to ALL mailboxes without a signed in user. Nobody in their right minds would ever grant any Teams app such an extraordinary level of access to their organization! 

 

But does that actually mean what it says? I have discovered that some of these permission descriptions don't actually mean they say and none of Microsoft's documentation seems to provide any clarity. Will consenting to this request actually grant full access to every mailbox in my organization?

3 Replies
How do you expect it to see and put things on people calendars? Service account access to all mailboxes is a pretty common thing. Just about every Exchange Server has a Blackberry account.
best response confirmed by Jay Carper (Brass Contributor)
Solution
Those are excessive permissions indeed, you're right to doubt them. What does the app claim to do? If it's anything related to Calendaring, EWS is a valid scenario still. The problem with this permission scope is that it gives you unrestricted access across all mailboxes, not limiting it to Calendar items/operations though. You can restrict which mailboxes will be under its scope (https://practical365.com/new-application-access-policies-extend-support-for-more-scenarios/), but no way to restrict the operations themselves.
This isn't a service account. It's a Teams app.
1 best response

Accepted Solutions
best response confirmed by Jay Carper (Brass Contributor)
Solution
Those are excessive permissions indeed, you're right to doubt them. What does the app claim to do? If it's anything related to Calendaring, EWS is a valid scenario still. The problem with this permission scope is that it gives you unrestricted access across all mailboxes, not limiting it to Calendar items/operations though. You can restrict which mailboxes will be under its scope (https://practical365.com/new-application-access-policies-extend-support-for-more-scenarios/), but no way to restrict the operations themselves.

View solution in original post