Reputation: 83
How to restrict mailbox access for office 365 app
I'm trying to figure out how to restrict which mailbox an application can access.
I have followed this guide and used app-only authentication: https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth
According to the documentation i have to set the 'full_access_as_app' permission. However the info text states: "Allows the app to have full access via Exchange Web Services to all mailboxes without a signed-in user."
I'm able to read mailboxes but i would like to restrict which mailbox my application can access. Can anyone point me in the right direction?
Thank you.
My code:
static async System.Threading.Tasks.Task Main(string[] args)
{
// Using Microsoft.Identity.Client 4.22.0
var cca = ConfidentialClientApplicationBuilder
.Create(ConfigurationManager.AppSettings["appId"])
.WithClientSecret(ConfigurationManager.AppSettings["clientSecret"])
.WithTenantId(ConfigurationManager.AppSettings["tenantId"])
.Build();
var ewsScopes = new string[] { "https://outlook.office365.com/.default" };
try
{
var authResult = await cca.AcquireTokenForClient(ewsScopes)
.ExecuteAsync();
// Configure the ExchangeService with the access token
var ewsClient = new ExchangeService
{
Url = new Uri("https://outlook.office365.com/EWS/Exchange.asmx"),
Credentials = new OAuthCredentials(authResult.AccessToken),
ImpersonatedUserId = new ImpersonatedUserId(ConnectingIdType.SmtpAddress, "[email protected]")
};
var mailbox = new Mailbox("[email protected]");
var folderId = new FolderId(WellKnownFolderName.Inbox, mailbox);
var inbox = Folder.Bind(ewsClient, folderId);
if (inbox != null)
{
FindItemsResults<Item> items = inbox.FindItems(new ItemView(100));
foreach (var item in items)
{
Console.WriteLine(item.Subject);
}
}
}
catch (MsalException ex)
{
Console.WriteLine($"Error acquiring access token: {ex}");
}
catch (Exception ex)
{
Console.WriteLine($"Error: {ex}");
}
if (System.Diagnostics.Debugger.IsAttached)
{
Console.WriteLine("Hit any key to exit...");
Console.ReadKey();
}
}
Upvotes: 2
Views: 920
Answers (1)
Reputation: 16438
You can follow Scoping application permissions to specific Exchange Online mailboxes.
Although this document is under Microsoft Graph, it should also apply to the https://outlook.office365.com module because this setting is for app registration and O365 mailbox.
You need to create an application access policy which sets the -AccessRight RestrictAccess.
And then test the newly created application access policy which restricts access to the user [email protected].
Test-ApplicationAccessPolicy -Identity [email protected] -AppId e7e4dbfc-046-4074-9b3b-2ae8f144f59b
Upvotes: 1
Related Questions
- Office 365 Exchange Online - Client credentials - IMAP No Authentication
- What is the Correct Microsoft Graph API Permission for Reading Mailbox to specific user only
- Use IMAP with XOAUTH2 and MS365 Application permissions to authenticate IMAP for a user
- Azure AD Service Principal client credentials grant AUTHENTICATE failed accessing outlook.office365.com mailbox via IMAP
- Retrieving Emails from Office365 using OAuth2.0
- Limit access to groups or individual mailboxes using a service application in Azure Ad
- How to restrict mailbox access in azure active directory application
- Can I grant limited mailbox access to an app-only application?
- Office 365 Mail API: Admin access token to access everyone's emails
- use office 365 authentication for all user