Limiting Mailbox and User Access with Application Permissions using RBAC - Microsoft Modern Exchange Connector (Graph)

Gurpreet Sehra
Gurpreet Sehra
  • Updated
  1. Setup a Riva mailbox connection (Graph – Certificate based)
  1. Perform connection test – Test should be successful.
  2. Perform steps to configure RBAC assignments to allow permissions to a mailbox.

3.0 Setup PowerShell (PS) for ExchangeOnlineManagement

a. Open PowerShell (PS) as an Admin

b. Import-Module ExchangeOnlineManagement [Install, if getting an installation error – Google for steps]

c. Connect-ExchangeOnline -UserPrincipalName dev-vpadmin@vpdevadmin.onmicrosoft.com

3.1 Get Management Scopes

Management scopes allow an admin to scope a set of mailboxes based on the properties of these objects.

Use following command to check the management scopes (already set during EWS test)

Get-ManagementScope

We will use “Restricted Users”

                    

         3.3 Add a New Service Principal

From the App registered in Entra (Azure), use Enterprise Applications to read the Application and Object Id

New-ServicePrincipal -AppId 987493a9-b551-476a-a2c7-1537bb5b1946 -ObjectId ed3eeed4-78b5-4b7b-b512-29de5fd4cbdb -DisplayName "RBAC limit app"

 

         3.4 Setup New Role Assignment

Use management scope name from EWS Step 3.1 “Restricted Users”

Add a new management scope to allow the user mailbox with Restricted Users filter applied to allow access for Calendars.Read permission.

New-ManagementRoleAssignment -Name "RBAC LimitRoleAssignment" -Role "Application Calendars.Read" -App 987493a9-b551-476a-a2c7-1537bb5b1946 -CustomResourceScope "Restricted Users"

 

Add New Contact Management Scope

New-ManagementScope -Name "Restricted Users Contact" -RecipientRestrictionFilter "Alias -like '*AdeleV*'"

Add a new management role assignment to allow the user mailbox for Contacts.Read permission.

New-ManagementRoleAssignment -Name "RBAC LimitRoleAssignment" -Role "Application Contacts.Read" -App 987493a9-b551-476a-a2c7-1537bb5b1946 -CustomResourceScope "Restricted Users Contact"

 

3.5 Testing Authorization

3.5a. Test for the user with scopes assigned

Test-ServicePrincipalAuthorization -Identity "RBAC Limit app" -Resource 'Adele Vance'| Format-Table

InScope = true to represent if that permission applies to that mailbox for that service principal.

 

  1. Perform connection test for user – adelev@vpdevadmin.onmicrosoft.com – Connection test is successful and shows access to Contacts and Calendar

Inference: Using RBAC config, Graph permissions can be assigned at granular level.

 

NOTE: We have noticed that it takes time for app permissions to apply. From Microsoft documentation:

Changes to app permissions are subject to cache maintenance that varies between 30 minutes and 2 hours depending on the app's recent usage. When testing configurations, the test command bypasses this cache. An app with no inbound calls to APIs will have its cache reset in 30 minutes, whereas an actively used app will keep its cache alive for up to 2 hours.

Related to