ApplicationAccessPolicy
When finally removing the last exceptions from a Conditional Access policy blocking Basic Authentication I came upon an application (external vendor) that previously used IMAP with basic authentication and now needed migrating to Oauth.
The vendor provided easy instructions but listed horrible permissions. A big no from me was The Exchange API permission “full_access_as_app”. That would give the vendor access to read all mailboxes in our organization. A thread on reddit pointed me towards this documentation on Application Access Policy’s.
The solution is to add the mailbox the app should be able to access to a distribution list and create a policy to limit the applications permissions to members of that distribution list.
1
New-ApplicationAccessPolicy -AppId 17ff220f-79db-4c7f-a9a5-fef452795ace -PolicyScopeGroupId RestrictedGroup@ourtenant.onmicrosoft.com -AccessRight RestrictAccess -Description "Restrict access to members of RestrictedGroup"
To test the access we can use Test-ApplicationAccessPolicy
1
Test-ApplicationAccessPolicy -Identity testuser1@ourtenant.onmicrosoft.com -AppId 17ff220f-79db-4c7f-a9a5-fef452795ace
The output should list AccessCheckResult and give you Denied or Granted.