This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I'm confused how to lock down an Azure application. Let me detail what I've done.
I created an app.
I added the Office 365 Exchange EWS.AccessAsUser.All API permissions
I added full_access_as_app permissions also.
I created certificate also.
I can get the application to access the app and I can access mailboxes as expected. The application can access "ANY" mailbox at the moment.
How can I prevent usage of the App from allowing access to ANY mailbox? I'd like to lock it down to specific mailboxes the App can access.
I've read about New-ApplicationAccessPolicy. I'm just confused by what it's doing. I did set a new policy and tied it to a group and added the mailboxes I want the app to be able to access to it. I'm just waiting I guess for replication or something. It seems the app can still access multiple mailboxes not in the group.
After a period of time the policy started working. I created a mail enabled security group and added the mailbox I want the app to access to it. It took a while but eventually the app will not connect to any other mailbox but the ones in the group. So works as it should.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Hi,
Glad to know you have solved this issue and thanks for sharing the information above!
For EWS, the only permission that application policies apply to:
full_access_as_app
so remove: EWS.AccessAsUser.All
P.S.
Verify access is working as expected afterwards:
Example:
Test-ApplicationAccessPolicy -Identity ******@contoso.com -AppId e7e4dbfc-046-4074-9b3b-2ae8f144f59b