We already described how to register an application to access Exchange Online mailboxes via EWS protocol in app-only mode, suitable for unattended application.
However, default settings allow applications to access all mailboxes in the the organization, which might be undesirable in many scenarios. This guide below describes what needs to be done to restrict access of those applications to a single mailbox using the New-ApplicationAccessPolicy cmdlet.
Get your application ID
First, you have to determine the
AppIdof your application. In Azure Portal ⇒ expand the left menu ⇒ select
Azure Active Directory⇒ select
App registrations⇒ locate your desired application.
(Azure Portal is constantly evolving, so if you cannot find this page, use the search bar and locate
Overviewpage, you can find the
Application (client) ID:
Restrict access to a single mailbox
ExchangeOnlineManagementPowerShell module that contains the
New-ApplicationAccessPolicycmdlet. (You can skip this step if you have already installed this PowerShell module.)
Open your PowerShell as Administrator, and run:
Install-Module -Name ExchangeOnlineManagement
Confirm installation from
(Wondering why the module installs from an untrusted repository? See this Azure-PowerShell issue.)
Restrict application's access to a single mailbox. Please note that you will be asked to log into your Azure account.
$AppId = "YOUR_APP_ID_HERE" $Description = "Some description here" $Mailbox = "firstname.lastname@example.org" Connect-ExchangeOnline New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId $AppId -PolicyScopeGroupId $Mailbox -Description $Description
Congratulations! As soon as the changes take effect (which can reportedly take up to an hour), your application will only have access to the specified
$Mailbox. If you want to grant access to another mailbox, just run the script again with different
$Description. This way, you can explicitly grant access to all mailboxes you need.
Need help or have a question? Ask at Rebex Q&A Forum.