Limiting IMAP permissions to specific Exchange Online mailboxes

Question

Limiting IMAP permissions to specific Exchange Online mailboxes

Ty Ahmad 1

Due to the upcoming Basic Authentication Deprecation in Exchange Online – deadline of 10/1/22 , we have been working to change our web based ticket system (we were using basic authentication via IMAP) to use IMAP 4 with auth 2.0 authentication. We created an app using this link as a reference https://learn.microsoft.com/en-us/answers/questions/427049/office-365-oauth2-working-correctly-for-imap-not-w.html . We only want to give permission to access 1 emailbox so we followed these instructions here

https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth . we followed where it states "Register service principals in Exchange" . We then set the Add-MailboxPermission to the mailbox we want to allow access to.

questions:

The issue we are having is when we change the email box with the same token it still allows the connection. we only want access to 1 mailbox not all. How can we accomplish this?
is IMAP via app Authentication the best workaround to integrate our web based ticket system to read emails ? I tried this solution but i came accross the same issue, we are able to read all mailboxes not just one. https://www.youtube.com/watch?v=AXssQL7LkRA

Answer 1

Vasil Michev 66,956 MVP

The steps you have followed apply to the client credentials flow (application permissions), whereas your registered app is using delegate permissions. You are likely able to access other mailboxes because the user in which context you're running the app has the necessary Full access permissions.
As to the second question, IMAP is an outdated protocol and I wouldn't recommend using it. For integrating Exchange Online with other systems use the Graph API: https://learn.microsoft.com/en-us/graph/api/resources/mail-api-overview?view=graph-rest-1.0

Ty Ahmad 1 Reputation point

2022-08-24T15:50:38.543+00:00

Thank you for responding,

How to correct permission to a
reply to question 1: how to acchieve my goal of restricting to 1 mail box?

reply to question 2:
We tried GRAPH but ran into the same issue as noted in my other question https://learn.microsoft.com/en-us/answers/questions/979061/limiting-application-permissions-to-specific-excha.html . So how can i implement RBAC controls to achieve my goal of restricting access to only 1 mailbox?
Vasil Michev 66,956 Reputation points MVP

2022-08-24T16:29:24.897+00:00

You other question is around the same issue - you're trying to implement application access policies for unsupported scenario. They only work for Application permissions (as in, you get a token in the context of an application, via client secret or certificate). Instead, you're using the Delegate permissions model. To understand the difference between the two, read here: https://learn.microsoft.com/en-us/azure/active-directory/develop/permissions-consent-overview#types-of-permissions
Here's an article that explains for which scenarios application access policies apply: https://practical365.com/application-access-policies-in-exchange-online/
Ty Ahmad 1 Reputation point

2022-08-24T16:35:09.22+00:00

So i would i use delegate permissions model to achieve my goal of restricting access to only 1 mailbox? Where do i set this permission?
Vasil Michev 66,956 Reputation points MVP

2022-08-25T07:02:50.513+00:00

You can use either. The difference is that when using the delegate permissions model, your application will only have access to resources to which the user (under whose credentials the app runs) has access. Thus if you run under a user that has access to only his own mailbox, the application will not be able to access anything else. If you run under a user that has been granted access to other mailboxes, the application will be able to access them as well, and application access policies will not prevent this from happening.
When running in the application context model, there is no user involved and the application by default gets access to all resources in the org. This is where application access policies come into play - you can use them to restrict access to specific mailboxes only. Creating a service principal in ExO and granting Full mailboxes permissions achieves a similar purpose for POP/IMAP access.
Ty Ahmad 1 Reputation point

2022-08-25T15:14:05.917+00:00

Based one what you wrote it seems that the delegate permissions module is what I'm looking for since i only want to give 1 user access to its own email box.

when you say
user (under whose credentials the app runs)

Which setting are you referring to?

is it the owners setting? or user and groups setting under enterprise applications?

Limiting IMAP permissions to specific Exchange Online mailboxes

1 answer

Activity