how to restrict exchange application permissions

Question

how to restrict exchange application permissions

Nataniel nExoR Zielinski 41

hi,

i'm creating automated solution for some reporting, that is to be run by 1st and 2nd line. quite recently there has been a new connect-exchangeonline feature allowing to connect with certificate, using EXO app registration
https://www.quadrotech-it.com/blog/certificate-based-authentication-for-exchange-online-remote-powershell/
it's basically great feature, and script can run with automated logon experience....

the problem is that such connection has full admin permissions. i found information on application restrictions, but issue there is that it is 'per mailbox' while i need to restrict access granting RO permissions to all mailboxes (for now and for future). so this policy is highly unsustainable.
https://learn.microsoft.com/en-us/powershell/module/exchange/new-applicationaccesspolicy?view=exchange-ps

to summarize: i want to write fully automated script that has RO access to EXO.

is there a way to limit registered app permissions globally to RO?
is there an option, so the application (app registered in AAD) run in a context of a particular user - so then i could create roles in EXO

suggestions appreciated!

Vasil Michev 119.5K Reputation points MVP Volunteer Moderator

2020-10-26T14:18:42.87+00:00

You're not using Graph API per se here, it's only handling the authentication bits. Access to the actual cmdlets is still controlled by the admin role assigned to the service principal object. As Andy mentioned, Global Reader should be fine for this scenario.

Now, if you do have an application doing actual Graph API calls against Exchange objects, the way to restrict it is detailed here: https://practical365.com/exchange-online/application-access-policies-in-exchange-online/
Again, that's different and wont help you in this current scenario, just adding it to (hopefully) clear any confusion.

Accepted answer

2 additional answers

Your answer

Vasil Michev 119.5K Reputation points MVP Volunteer Moderator

2020-10-26T14:18:42.87+00:00

You're not using Graph API per se here, it's only handling the authentication bits. Access to the actual cmdlets is still controlled by the admin role assigned to the service principal object. As Andy mentioned, Global Reader should be fine for this scenario.

Now, if you do have an application doing actual Graph API calls against Exchange objects, the way to restrict it is detailed here: https://practical365.com/exchange-online/application-access-policies-in-exchange-online/
Again, that's different and wont help you in this current scenario, just adding it to (hopefully) clear any confusion.

Answer 1

Andy David - MVP 157.4K MVP Volunteer Moderator

You can add the Azure app to the Global Reader Azure role and nothing else and accomplish this.
It wont run in the context of the user however, but if you gave the app Global Reader perms, then it wouldnt need to would it?

Global Reader has full read access to Exchange Online

https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-reader-permissions
microsoft.office365.exchange/allEntities/read

Nataniel nExoR Zielinski 41 Reputation points

2020-10-27T19:32:56.057+00:00

thank you guys! it was so obvious... why i didn't check on the first place?
i found the app in 'exchange admin' role so it's that simple...

kudos

Answer 2

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Answer 3

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Share via

how to restrict exchange application permissions

2 additional answers

Your answer