Skip to main content

Restrict App Registration application permission to certain mailboxes

Requirements: Active Exchange Administrator Role and App Registration with application permissions granted.

Application Access Polices

Generally Application Permissions allow an Azure App Registration to access a certain type of data within the whole tenant.

For example the Application Permission Calendars.ReadWrite grants access to every calendar in every mailbox in the Exchange Online environment.

Use case

If, for example, you want to grant an App Registration the Read and Write permission on just 15 calendars, you can do so with an Application Access Policy.

Creating an Application Access Policy

To create an Application Access Policy, you first have to create your App Registration and grant the any Application permission.permission (e.g. Mail.Send).

After that you need to create a Mail Enabled Security Group in the Exchange EnvironmentAdmin Center and add the Mailboxes, on which the App Registration' permission shall be activated.

Now you can create the Application Access Policy with the following CommandCommand. (NeedFirst beyou Connectedhave to ExchangeOnlinelog within anto Exchange Administrator):Online.

Import-Module ExchangeOnline
Connect-ExchangeOnline
New-ApplicationAccessPolicy -AppId "<App IDappregistrationid>" -PolicyScopeGroupId "<Primary SMTP Address of MESGPrimarySMTPAddressofMESG>" -Description "<Enter a Custom Descriptionyourcustomdescription>" -AccessRight Restrict

Example

New-ApplicationAccessPolicy -AppId "8ac33c24-5d07-4a6e-8b5c-14hsi1912722" -PolicyScopeGroupId "test@mydomain.com" -Description "Restricts Access of App X to MESG Y" -AccessRight Restrict

View existing Application Access Policies

If you want to view all existing Application Access Policies in your Tenant, you can do so with this command.

Get-ApplicationAccessPolicy

respectivelyFor more readability you can view this output in a gridview.

Get-ApplicationAccessPolicy | Out-GridView

for more readability.