![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 50%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBP%3C/text%3E%3C/svg%3E)
Exchange Online
A Microsoft email and calendaring hosted service.
6,194 questions
Hi Bob, So there are really a few things here:
The Service Principal requirement with full mailbox access: That is for IMAP, POP and SMTP perms right now:
The other graph Exchange perms allow you to leverage the access policy ( or the newer RBAC )
https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac
Both of these methods allow applications to access an Exchange mailbox while at the same time limit its access based on the settings ( or in the case of the Service Principal using Oauth, POP and SMTP - the mailbox you have given full access to)
For an application that has no signed in user, you have to provide application access otherwise it wont work ( versus delegated) , however the limits you have set via the application access policy or RBAC perms ensure the application cant access all the mailboxes, just the ones you have allowed it to.
So to answer your specific question. If the perms requested are:
For POP access, choose the POP.AccessAsApp permission. For IMAP access, choose the IMAP.AccessAsApp permission. For SMTP access, choose the SMTP.SendAsApp permission.
then follow that Oauth Doc and create the Service Principal in Exchange and give it full access to that mailbox.
If the perms needed by the app are the following:
and you are using the new RBAC method, then follow that doc and create the Service principal and assign the perms.
If however, you are still using the original application access policies, then no need to create the service principal.
https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access
I think you can see where this is going however. In the future, Exchange Access via graph will leverage service principals and the old access policies will be removed, so its prob worth it now to get started with the new RBAC methods.
As far as using a shared mailbox, yes you can, if the app supports it. I have a few that do this and its always nice when it does, but I can't tell you if yours will or not, worth testing!