how to restrict exchange application permissions

nExoR 41 Reputation points
2020-10-26T13:40:00.687+00:00

hi,

i'm creating automated solution for some reporting, that is to be run by 1st and 2nd line. quite recently there has been a new connect-exchangeonline feature allowing to connect with certificate, using EXO app registration
https://www.quadrotech-it.com/blog/certificate-based-authentication-for-exchange-online-remote-powershell/
it's basically great feature, and script can run with automated logon experience....

the problem is that such connection has full admin permissions. i found information on application restrictions, but issue there is that it is 'per mailbox' while i need to restrict access granting RO permissions to all mailboxes (for now and for future). so this policy is highly unsustainable.
https://learn.microsoft.com/en-us/powershell/module/exchange/new-applicationaccesspolicy?view=exchange-ps

to summarize: i want to write fully automated script that has RO access to EXO.

  • is there a way to limit registered app permissions globally to RO?
  • is there an option, so the application (app registered in AAD) run in a context of a particular user - so then i could create roles in EXO

suggestions appreciated!

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,582 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,175 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,348 questions
Accepted answer
  1. Andy David - MVP 141.6K Reputation points MVP
    2020-10-26T13:47:10.757+00:00

    You can add the Azure app to the Global Reader Azure role and nothing else and accomplish this.
    It wont run in the context of the user however, but if you gave the app Global Reader perms, then it wouldnt need to would it?

    Global Reader has full read access to Exchange Online

    https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-reader-permissions
    microsoft.office365.exchange/allEntities/read

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. nExoR 41 Reputation points
    2020-10-27T19:32:56.057+00:00

    thank you guys! it was so obvious... why i didn't check on the first place?
    i found the app in 'exchange admin' role so it's that simple...

    kudos

    0 comments