Does an Enterprise Application with Mail.Read permission consented by an admin have access to every mailbox in the tenant?

Question

I am trying to get a better understanding of third party application access. The third party application is a productivity tool, which accesses the data from the screenshot below, and maintains access. The application was consented by an admin.

Does that mean, that the third party application can access the mailbox of all users in the tenant, since it was consented by an admin? Or does each user still have to actively open the app in order to allow the app to access the user's data?

In each case, how do I know which user is using the app, or has opened the app? And how do I disable the app's access to specific user's data?

Answer 1

If the permission is delegated, then the user will only be able to access mailboxes they already have access to ( their own, shared etc..)

If the permission is application, then they can access ALL the mailboxes in the tenant unless you scope the permissions to the app: Note that permissions this supports in the doc as well:

https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac

Answer 2

The app will be able to access the mailbox of any user who signs in to the app. To limit the mailboxes the app can access on behalf of users, you can limit which users are allowed to sign in to the app, as described here: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users