Limiting permission granted by Exchange.ManageAsApp when using App-only authentication for unattended scripts in Exchange Online PowerShell

Chathum Henegama 21 Reputation points
2023-11-28T10:30:53.41+00:00

I have an application that executes powershell commands programatically to read journal rules setup in exchange online / office 365.

Using powershell commands and the EXO module (v3) I can obtain the list of journal rules, for authentication we use the steps described in this article that discusses about App-Only authentication for un-attended scripts, If you check through the App-only authentication guide it requires to assign Exchange.ManageAsApp permission. (see https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-2-assign-api-permissions-to-the-application)

The code and the application works flawlessly but Exchange.ManageAsApp is a very privileged permission which gives access to make any changes to the exchange server.

My question is weather there is a way to limit the permission granted by Exchange.ManageAsApp ? Most IT-admins do not like the idea of granting Exchange.ManageAsApp to an application.

I have read about application access policies in MS Graph, but I am not sure if we can use applicationAccess Policies here ?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
9,987 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,053 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,224 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
1,861 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,691 questions
{count} votes

Accepted answer
  1. Vasil Michev 91,046 Reputation points MVP
    2023-11-28T16:01:27.6933333+00:00

    Exchange.ManageAsApp is basically "impersonation", it does not give your app any specific permissions. This is the reason why you need to run step 5 of the article above, i.e. add the service principal to a given role.

    Basically, you can skip step 5 and assign an Exchange-specific role to the service principal, which in turn gives you the flexibility to scope the assignment via management scopes or AUs. I have an example article about this here: https://www.michev.info/blog/post/4282/exo-rbac-improvements-1-limiting-application-access

    Or you can refer to the official Microsoft blog post about this: https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-public-preview-of-role-based-access-control-for/ba-p/3688228

    In your case, a direct role assignment for the View-Only Configuration role should do.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Andy David - MVP 138.3K Reputation points MVP
    2023-11-28T12:53:52.4033333+00:00

    Yea the application access policies apply to mailboxes here so that wont work.

    Essentially you need access to the configuration and thus need that Exchange.ManageAsApp perm.

    now there is a role in Exchange itself called 'Hygiene Management" , however that is not an Azure role and those are the only ones you can assign to the app itself:

    https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-5-assign-azure-ad-roles-to-the-application

    So I think you are stuck in your scenario

    0 comments No comments