This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 19%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJW%3C/text%3E%3C/svg%3E)
I have a web application that uses Delegated Permissions to query Mail, but it does not fit our use-case which a tenant-wide Application Permission does. Now we need to limit permissions of Mailboxes & Calendars API, is there a way to restrict this Application Permission to a Microsoft Entra Group of Users/Shared Mailboxes?
An API that connects multiple Microsoft services, enabling data access and automation across platforms
Answer accepted by question author
yes, you can follow:
https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac
I use this all the time and works great.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Does this apply to shared mailboxes? Can I restrict the application to only have access to a single shared mailbox using the approach in your link? Or is a service account required? Are there any requirements the shared mailbox must have for your approach to work?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 24%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERV%3C/text%3E%3C/svg%3E)
Hi Jiahao Wu,
Thank you for reaching out to Microsoft!
Graph API can work either on delegated permission or Application-level permissions. However, you can limit application permissions to a specific group/Users by creating a New-ApplicationAccessPolicy.
For more information, please refer to the following documentation: Limiting application permissions to specific Exchange Online mailboxes
Hope this helps.
If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.
This is an older architecture. Its better to use the RBAC model I linked in my answer and leverage the improved RBAC granularity
https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac
Keep in mind, that Microsoft intends to deprecate the application access policies at some point, its better to use the RBAC model now: