Limiting permission granted by Exchange.ManageAsApp when using App-only authentication for unattended scripts in Exchange Online PowerShell

Chathum Henegama 21 Reputation points

I have an application that executes powershell commands programatically to read journal rules setup in exchange online / office 365.

Using powershell commands and the EXO module (v3) I can obtain the list of journal rules, for authentication we use the steps described in this article that discusses about App-Only authentication for un-attended scripts, If you check through the App-only authentication guide it requires to assign Exchange.ManageAsApp permission. (see

The code and the application works flawlessly but Exchange.ManageAsApp is a very privileged permission which gives access to make any changes to the exchange server.

My question is weather there is a way to limit the permission granted by Exchange.ManageAsApp ? Most IT-admins do not like the idea of granting Exchange.ManageAsApp to an application.

I have read about application access policies in MS Graph, but I am not sure if we can use applicationAccess Policies here ?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
9,987 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,053 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,224 questions
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
1,861 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,691 questions
{count} votes

Accepted answer
  1. Vasil Michev 91,046 Reputation points MVP

    Exchange.ManageAsApp is basically "impersonation", it does not give your app any specific permissions. This is the reason why you need to run step 5 of the article above, i.e. add the service principal to a given role.

    Basically, you can skip step 5 and assign an Exchange-specific role to the service principal, which in turn gives you the flexibility to scope the assignment via management scopes or AUs. I have an example article about this here:

    Or you can refer to the official Microsoft blog post about this:

    In your case, a direct role assignment for the View-Only Configuration role should do.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Andy David - MVP 138.3K Reputation points MVP

    Yea the application access policies apply to mailboxes here so that wont work.

    Essentially you need access to the configuration and thus need that Exchange.ManageAsApp perm.

    now there is a role in Exchange itself called 'Hygiene Management" , however that is not an Azure role and those are the only ones you can assign to the app itself:

    So I think you are stuck in your scenario

    0 comments No comments