Office 365: How to restrict mailbox access of Azure applications in app-only mode

  |   Lukas Matyska

We already described how to register an application to access Exchange Online mailboxes via EWS or Microsoft Graph API in app-only mode, suitable for unattended application.

However, default settings allow applications to access all mailboxes in the organization, which might be undesirable in many scenarios. This guide below describes what needs to be done to restrict access of those applications to a single mailbox using the New-ApplicationAccessPolicy cmdlet.


Get your application ID

  1. First, you have to determine the AppId of your application. In Azure Portal ⇒ expand the left menu ⇒ select Azure Active Directory ⇒ select App registrations ⇒ locate your desired application.

    (Azure Portal is constantly evolving, so if you cannot find this page, use the search bar and locate App registrations.)

    Get AppId 1
  2. On the Overview page, you can find the AppId listed as Application (client) ID:

    Get AppId 2

Restrict access to a single mailbox

  1. Install the ExchangeOnlineManagement PowerShell module that contains the New-ApplicationAccessPolicy cmdlet. (You can skip this step if you have already installed this PowerShell module.)

    Open your PowerShell as Administrator, and run:

    Install-Module -Name ExchangeOnlineManagement

    Confirm installation from PSGallery by typing Y + Enter.

    Adding client secret 1

    (Wondering why the module installs from an untrusted repository? See this Azure-PowerShell issue.)

  2. Restrict application's access to a single mailbox. Please note that you will be asked to log into your Azure account.

    $AppId = "YOUR_APP_ID_HERE"
    $Description = "Some description here"
    $Mailbox = "someone@example.org"
    
    Connect-ExchangeOnline
    
    New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId $AppId -PolicyScopeGroupId $Mailbox -Description $Description
    
    Adding client secret 2
  3. Congratulations! As soon as the changes take effect (which can reportedly take up to an hour), your application will only have access to the specified $Mailbox. If you want to grant access to another mailbox, just run the script again with different $Mailbox and $Description. This way, you can explicitly grant access to all mailboxes you need.

Any issues?

Need help or have a question? Ask at Rebex Q&A Forum.