Limiting Mailbox and User Access with Application Permissions using RBAC

  • Updated

Applies to: Microsoft Graph and Exchange Web Services (EWS) application connections

When using application permissions in either Microsoft Graph or EWS, the default behavior grants the application access to all mailboxes in the tenant. To comply with the principle of least privilege and minimize security exposure, Microsoft now recommends using Role-Based Access Control (RBAC) for Applications to limit this access.

⚠️ Important: Microsoft is deprecating support for Application Access Policies. RBAC for Applications is the preferred and future-proof method for controlling mailbox access via application permissions.
Learn more in Microsoft’s announcement.

Prerequisites

To proceed, ensure you have the following:

  • A mail-enabled security group in Microsoft 365. Only users in this group will be accessible by the application.

  • Exchange Online PowerShell access with appropriate permissions.

  • The Application (client) ID and Object ID for the Riva Enterprise Application, found in Azure Active Directory > Enterprise Applications.

Step-by-Step: Restricting Mailbox Access with RBAC

1. Connect to Exchange Online via PowerShell

If you haven’t connected yet, follow Microsoft’s guide:
👉 Connect to Exchange Online PowerShell

2. Identify the Mail-Enabled Security Group

You’ll need the Distinguished Name (DN) of the security group Riva users belong to.

Get-Group "YourGroupName" | Select-Object -Property DistinguishedName

📝 Only mail-enabled security groups are supported. Microsoft 365 groups, distribution groups, and security-only groups may not work properly with this method.

3. Create a Management Scope

Create a custom scope that limits access to the selected group:

New-ManagementScope -Name "RivaSyncScope" -RecipientRestrictionFilter {memberofGroup -eq "CN=GroupName,OU=domain.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=...,DC=COM"}

  • Replace the value in memberofGroup with the DN obtained in Step 2.

  • The scope limits the application to only mailboxes in this group.

4. Create a Service Principal for the Application

New-ServicePrincipal -AppId <ApplicationId> -ObjectId <ObjectId> -DisplayName "RBAC RivaSync"

Replace <ApplicationId> and <ObjectId> with values from your Riva Azure Enterprise Application.

5. Assign the Application Role with Scope

New-ManagementRoleAssignment -Name "RBAC RivaSync" -Role "Application EWS.AccessAsApp" -App <ApplicationId> -CustomResourceScope "RivaSyncScope"
Parameter Description
Name A label for the assignment.
Role Use Application EWS.AccessAsApp for EWS. For Graph, this role is still required to scope access.
App The Application (client) ID.
CustomResourceScope Scope name from Step 3.

6. Test the Scope Assignment

Verify the setup using the following command:

Test-ServicePrincipalAuthorization -Identity "RBAC RivaSync" -Resource user@example.com | Format-Table

  • Replace user@example.com with a mailbox belonging to the security group.

Note: It may take up to 30 minutes for the scope permissions to take effect.

Outcome

After completing these steps, Riva will only be able to access the mailboxes of users who are part of the specified mail-enabled security group. This approach offers a secure, supportable method of limiting mailbox access when using application permissions for Microsoft Graph or EWS integrations.

Related Resources

Was this article helpful?

/