1

I understand that for an app to access Office365 mailboxes I need a registered app with Application Permissions, e.g. Mail.Read which - according to its description - "allows the app to read mail in all mailboxes without signed-in user".

This is exactly what I need except I don't need and I am not allowed to read all mailboxes within the organisation.

In order to restrict this further I can of course set a ApplicationAccessPolicy which allows to restrict the access to a specific mailbox or generally a PolicyScopeGroupId.

My issue is that when this policy is not active, changed or deleted for whatever reason an app has full access to all of organization's mailboxes which sounds very risky in a bigger enterprise.

Isn't there really any other way to handle that vice versa, so that by default no mailbox can be accessed except a set of defined ones?

LBA
  • 3,859
  • 2
  • 21
  • 60

1 Answers1

0

The other way around can be,There is a separate Mail.Read permission for both Application and Delegated permissions.

The difference between "App-only vs. delegated permissions"

Permission scopes can be either app-only or delegated. App-only scopes (also known as app roles) grant the app the full set of privileges offered by the scope. App-only scopes are typically used by apps that run as a service without a signed-in user being present.

Delegated permission scopes are for apps that act on behalf of a user. These scopes delegate the privileges of the signed-in user, allowing the app to act as the user. The actual privileges granted to the app will be the least privileged combination (the intersection) of the privileges granted by the scope and those possessed by the signed-in user. For example, if the permission scope grants delegated privileges to write all directory objects, but the signed-in user has privileges only to update their own user profile, the app will only be able to write the signed-in user's profile but no other objects.

"Permissions not requiring administrator's consent" are delegated permissions, while "App-only permissions requiring administrator's consent" are the app-only permissions, which is why it shows up twice.

If you want to access the mail for all the user's in your tenant, then you must have a user account that has that level of access or you need to use an App Only token which grants that scope of access.

Mehtab Siddique
  • 556
  • 1
  • 2
  • 5
  • 1
    sorry, I totally get the difference but I don't want to use delegate permissions specifically. but it should be possible IMHO that an app access is limited by default and not with a "access anything" by default to be restricted by a policy, but opened up by a policy. – LBA Mar 11 '22 at 10:54