Search code examples
c#azureoauth-2.0office365imap

How to restrict mailbox access for office 365 app

I'm trying to figure out how to restrict which mailbox an application can access.

I have followed this guide and used app-only authentication: https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth

According to the documentation i have to set the 'full_access_as_app' permission. However the info text states: "Allows the app to have full access via Exchange Web Services to all mailboxes without a signed-in user."

I'm able to read mailboxes but i would like to restrict which mailbox my application can access. Can anyone point me in the right direction?

Thank you.

My code:

   static async System.Threading.Tasks.Task Main(string[] args)
    {
        // Using Microsoft.Identity.Client 4.22.0
        var cca = ConfidentialClientApplicationBuilder
            .Create(ConfigurationManager.AppSettings["appId"])
            .WithClientSecret(ConfigurationManager.AppSettings["clientSecret"])
            .WithTenantId(ConfigurationManager.AppSettings["tenantId"])
            .Build();

        var ewsScopes = new string[] { "https://outlook.office365.com/.default" };

        try
        {
            var authResult = await cca.AcquireTokenForClient(ewsScopes)
                .ExecuteAsync();

            // Configure the ExchangeService with the access token
            var ewsClient = new ExchangeService
            {
                Url = new Uri("https://outlook.office365.com/EWS/Exchange.asmx"),
                Credentials = new OAuthCredentials(authResult.AccessToken),
                ImpersonatedUserId = new ImpersonatedUserId(ConnectingIdType.SmtpAddress, "[email protected]")
            };

            var mailbox = new Mailbox("[email protected]");
            var folderId = new FolderId(WellKnownFolderName.Inbox, mailbox);

            var inbox = Folder.Bind(ewsClient, folderId);

            if (inbox != null)
            {
                FindItemsResults<Item> items = inbox.FindItems(new ItemView(100));

                foreach (var item in items)
                {
                    Console.WriteLine(item.Subject);
                }
            }
        }
        catch (MsalException ex)
        {
            Console.WriteLine($"Error acquiring access token: {ex}");
        }
        catch (Exception ex)
        {
            Console.WriteLine($"Error: {ex}");
        }

        if (System.Diagnostics.Debugger.IsAttached)
        {
            Console.WriteLine("Hit any key to exit...");
            Console.ReadKey();
        }
    }
Solution

  • You can follow Scoping application permissions to specific Exchange Online mailboxes.

    Although this document is under Microsoft Graph, it should also apply to the https://outlook.office365.com module because this setting is for app registration and O365 mailbox.

    You need to create an application access policy which sets the -AccessRight RestrictAccess.

    And then test the newly created application access policy which restricts access to the user [email protected].

    Test-ApplicationAccessPolicy -Identity [email protected] -AppId e7e4dbfc-046-4074-9b3b-2ae8f144f59b