Use Imap.Accessasapp

Question

Use Imap.Accessasapp

Shah Mita (YIANA) 0

Once you grant the permission to "Imap.Accessasapp' , the service principal can access to all the mailboxes of tenant ?

I am following the steps: - "Use client credentials grant flow to authenticate SMTP, IMAP, and POP connections"

https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth

Shah Mita (YIANA) 0 Reputation points

2025-03-31T11:47:11.35+00:00

Our security team is worried that by granting Imap.Accessasapp permission , Service principal can access each and every mailbox.

is this true ?

1 answer

Your answer

Shah Mita (YIANA) 0 Reputation points

2025-03-31T11:47:11.35+00:00

Our security team is worried that by granting Imap.Accessasapp permission , Service principal can access each and every mailbox.

is this true ?

Answer 1

Vasil Michev 119.7K MVP Volunteer Moderator

Yes, the Imap.Accessasapp application permission allows the service principal to access each and every mailbox within the tenant. By default, application permissions are unscoped, i.e. they cover all available resources. In contrast, delegate permissions are limited in scope - they only cover what the logged in user has access to.

If you want to restrict the scope of Imap.Accessasapp or similar permissions, use the RBAC for applications functionality: https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac

That's the theory at least, as I haven't tested the IMAP scenario (and there is suspicious lack of mention for anything IMAP-related in the documentation above). I've pinged the PM on this just in case, will let you know if my answer above needs to be corrected.

Shah Mita (YIANA) 0 Reputation points

2025-04-01T11:14:47.55+00:00

Hi Vasil

Thanks for the answer.

We are currently looking into using the client credentials grant flow to authenticate IMAP connections (https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#use-client-credentials-grant-flow-to-authenticate-smtp-imap-and-pop-connections)&data=05%7C02%7CMita.Shah%40vattenfall.com%7C705118394d1c42d2ccf708dd70585f1e%7Cf8be18a6f6484a47be7386d6c5c6604d%7C0%7C0%7C638790247029858037%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=wY7Z5fGuACAf6UHlzM%2FtNkKRw%2F8QXEcGrwon9UrG10o%3D&reserved=0). For this, the application permission ‘IMAP.AccessAsApp’ needs to be assigned with tenant admin consent. After the consent, an Exchange admin has to create a service principle in Exchange for the Entra AD application and add a mailbox to the service principle.

Could you please clarify, if we assign the application permission IMAP.AccessAsApp, what access does the app -by default- have? Does it have access to any mailboxes or does the Exchange admin first need to create a service principle and add a mailbox to it to get access to that specific mailbox?

If the Exchange admin gives access to that specific mail box , will i be able to access all the mailbox ?

We want to access only one mailbox with Imap.accessasapp permission and non-interactive logon.
Vasil Michev 119.7K Reputation points MVP Volunteer Moderator

2025-04-02T05:45:47.8166667+00:00

So I checked with the PM on this, and I stand corrected - the IMAP.AccessAsApp application permissions do not give you unscoped access to all mailboxes. Instead, you control it by granting Full Access permission on a per-mailbox basis, much like you would do for user scenarios.

Share via

Use Imap.Accessasapp

1 answer

Your answer