Applies to: Microsoft Modern Exchange Connector (Graph) and Exchange Web Services (EWS) application connections
When using application permissions in either Microsoft Modern Exchange Connector (Graph) or EWS, the default behavior grants the application access to all mailboxes in the tenant. To comply with the principle of least privilege and minimize security exposure, Microsoft now recommends using Role-Based Access Control (RBAC) for Applications to limit this access.
Important: Microsoft is deprecating support for Application Access Policies. RBAC for Applications is the preferred and future-proof method for controlling mailbox access via application permissions.
Learn more in Microsoft’s announcement.
Prerequisites
To proceed, ensure you have the following:
A mail-enabled security group in Microsoft 365. Only users in this group will be accessible by the application.
Exchange Online PowerShell access with appropriate permissions.
The Application (client) ID and Object ID for the Riva Enterprise Application, found in Azure Active Directory > Enterprise Applications.
Step-by-Step: Restricting Mailbox Access with RBAC
1. Connect to Exchange Online via PowerShell
If you haven’t connected yet, follow Microsoft’s guide:
Connect to Exchange Online PowerShell
2. Identify the Mail-Enabled Security Group
You’ll need the Distinguished Name (DN) of the security group Riva users belong to.
Get-Group "YourGroupName" | Select-Object -Property DistinguishedNameOnly mail-enabled security groups are supported. Microsoft 365 groups, distribution groups, and security-only groups may not work properly with this method.
3. Create a Management Scope
Create a custom scope that limits access to the selected group:
New-ManagementScope -Name "RivaSyncScope" -RecipientRestrictionFilter {memberofGroup -eq "CN=GroupName,OU=domain.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=...,DC=COM"}Replace the value in
memberofGroupwith the DN obtained in Step 2.The scope limits the application to only mailboxes in this group.
4. Create a Service Principal for the Application
New-ServicePrincipal -AppId <ApplicationId> -ObjectId <ObjectId> -DisplayName "RBAC RivaSync"Replace <ApplicationId> and <ObjectId> with values from your Riva Azure Enterprise Application.
5. Assign the Application Role with EWS permission
Note: This step is only applicable to EWS, not Graph.
New-ManagementRoleAssignment -Name "RBAC RivaSync" -Role "Application EWS.AccessAsApp" -App <ApplicationId> -CustomResourceScope "RivaSyncScope"
| Parameter | Description |
| Name | A label for the assignment. |
| Role | Use Application EWS.AccessAsApp for EWS. |
| App | The Application (client) ID. |
| CustomResourceScope | Scope name from Step 3. |
6. Assign the Application Role with Graph permissions
Before proceeding, check whether a scope is already assigned to the application:
Get-ManagementRoleAssignment "RBAC GraphScope" | Format-List
If no role assignment is returned, go to Step 6.1.
If the role assignment already exists, go to Step 6.2.
6.1 Create a new role assignment
New-ManagementRoleAssignment -Name "RBAC GraphScope" -Role "Application Calendars.ReadWrite" -App <ApplicationId> -CustomResourceScope "RBACGraphScope"
For Graph, the role format is Application <GrantedPermission>.
6.1.1 Assign Additional Permission Scope
Assign each permission scope separately (one command per role assignment).
New-ManagementRoleAssignment -Role "Application <GrantedPermission>" -App <ApplicationId> -CustomResourceScope "RBACGraphScope"
Note: When assigning additional permission scopes, do not include the -Name parameter.
6.2 Update an existing role assignment
Use this step if:
The role assignment already exists, and
You want to change the scope attached to it.
Set-ManagementRoleAssignment -Identity "RBAC GraphScope" -CustomResourceScope "RBACGraphScope"
Supported Application Role
| Name | Permission list | Mailbox-scoped |
| Application Calendars.ReadWrite | Calendars.ReadWrite | Yes |
| Application Mail.ReadWrite | Mail.ReadWrite | Yes |
| Application Mail.Send | Mail.Send | Yes |
| Application MailboxSettings.ReadWrite | MailboxSettings.ReadWrite | Yes |
| Application Contacts.ReadWrite | Contacts.ReadWrite | Yes |
| Application GroupMember.Read.All | GroupMember.Read.All | No |
| Application User.Read.All | User.Read.All | No |
| Application Tasks.ReadWrite.All | Tasks.ReadWrite.All | No |
Note: The "No" entries are Graph directory permissions that are tenant-wide by design, and currently cannot be scoped in the same way mailbox access can be restricted via Exchange Application RBAC (a current Microsoft limitation).
For more information, see Role Based Access Control for Applications in Exchange Online - Microsoft
7. Test the Scope Assignment
Verify the setup using the following command:
Test-ServicePrincipalAuthorization -Identity "RBAC RivaSync" -Resource user@example.com | Format-TableReplace
user@example.comwith a mailbox belonging to the security group.
⏳ Note: It may take up to 30 minutes for the scope permissions to take effect.
Outcome
After completing these steps, Riva will only be able to access the mailboxes of users who are part of the specified mail-enabled security group. This approach offers a secure, supportable method of limiting mailbox access when using application permissions for Microsoft Graph or EWS integrations.
In Riva, a connection test for a non-member user will return the error message below, indicating the required permissions are not granted.
A connection test on a member-user will show "Passed. Connection was successful."