• Azure
• O365AppMailBoxAccess

Azure O365 App MailBox Access

• How to give a Azure Entra application access to a specific O365 mailbox.

Highlevel steps

1. Links

   • From: https://techcommunity.microsoft.com/discussions/azure/limiting-application-permissions-to-specific-exchange-online-mailboxes/4339208

   • https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac#supported-permissions-and-other-resources

2. Create Entra/AD app

3. Give the app the API Permission: Exchange Web Services permission scope: full_access_as_app

   • This permission allows the app to access all mailboxes, but the scope will be restricted in the next step.

4. Open Exchange online PowerShell(pwsh)

   • Connect-ExchangeOnline

5. Create a security group in Azure AD and add the mailbox owner(s) to it. For example:

   • e.g. Group Name: MailboxAccessGroup

6. Assign the application access policy:

   New-ApplicationAccessPolicy -AppId "<AppId>" -PolicyScopeGroupId "MailboxAccessGroup" -AccessRight RestrictAccess -Description "Restrict app access to specific mailboxes"

7. Get-ApplicationAccessPolicy

Example

Application (client) ID: 0b......-....-....-....-..........3c

Enterprise APP Id : 9f......-....-....-....-.........b9

ObjectId: 29......-....-....-....-..........df

Add-MailboxPermission -Identity "TestStatementReconciliation@example.co.nz" -User "0b......-....-....-....-..........3c" -AccessRights FullAccess -InheritanceType All -AutoMapping $false

Get-AzADServicePrincipal -Filter "appId eq '0b......-....-....-....-..........3c'" | Select-Object AppId, ObjectId

# Exchange

Connect-ExchangeOnline -UserPrincipalName <ADM@example.co.nz> -ShowProgress $true

# New-ServicePrincipal -AppId "your-app-client-id" -ServiceId "your-service-principal-object-id"

New-ServicePrincipal -AppId "0b......-....-....-....-..........3c" -ServiceId "9f......-....-....-....-...........b9" -DisplayName "example-reconciliation-dev" 

DisplayName                              ObjectId                                                                                  AppId

-----------                              --------                                                                                  -----

example-reconciliation-dev 9f......-....-.....-....-.........b9                                                      0b......-....-....-....-..........3c

#

Get-ServicePrincipal | Where-Object { $_.AppId -eq "your-app-client-id" }

Add-MailboxPermission -Identity "shared-mailbox@contoso.com" -User "your-service-principal-object-id" -AccessRights FullAccess -InheritanceType All -AutoMapping $false

Add-MailboxPermission -Identity "TestStatementReconciliation@example.co.nz" -User "9f......-....-....-....-..........b9" -AccessRights FullAccess -InheritanceType All -AutoMapping $false

Identity             User                 AccessRights               IsInherited Deny

06......-....-....-… S-1-5-21-2426222919… {FullAccess}