azurepowershellmicrosoft-graph-api

Restrict authorization Azure app Connect-MgGraph?


sorry, I am new on using Microsoft Graph / Azure apps ...

I have successfully created a script which does want I need, reading a shared mailbox and analyzing mails to create a automatic outlook event.

Application created in Azure with following roles, Admin consent request set to yes: Mail.* Calendars.ReadWrite

My question, the authorization for such app is pretty mighty, right? You could set $userid to any other person within organisation and do some "bad things"... How it is possible to restrict access somehow (e.g. only for this single mailbox)?

# Configuration
$ClientId = "..."
$TenantId = "..."
$ClientSecret = "..."

# Convert the client secret to a secure string
$ClientSecretPass = ConvertTo-SecureString -String $ClientSecret -AsPlainText -Force

# Create a credential object using the client ID and secure string
$ClientSecretCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ClientId, $ClientSecretPass

Connect-MgGraph -TenantId $tenantId -ClientSecretCredential $ClientSecretCredential -NoWelcome
# Specify the user whose emails you want to access
$userId = "sharedbox@domain.com"

# Get the current date and time, and calculate the date for one hour ago
$timerange = (Get-Date).AddHours(-10)
$timerangeformat = Get-Date ($timerange).ToUniversalTime() -UFormat '+%Y-%m-%dT%H:%M:%S.000Z'

# Get Inbox ID
$folder = Get-MgUserMailFolder -UserId $userId -Filter "displayName eq 'Inbox'"
$folderId = $folder.Id

# Retrieve messages from the specified folder
$messages = Get-MgUserMailFolderMessage -UserId $userId -MailFolderId $folderId -Filter "receivedDateTime ge $timerangeformat" -All

# Loop through each message to retrieve attachments
foreach ($message in $messages) {
.....
New-MgUserEvent -UserId $userId -BodyParameter $params
....
Remove-MgUserMailFolderMessage -UserId $userId -MailFolderId $folderId -MessageId $message.Id -Confirm:$false
....
}

Solution

  • Note: If you want to limit application access to specific mail boxes even it's shared mailbox, You need to create an application access policy in Exchange Online.

    You identify the set of mailboxes to permit access by putting them in a mail-enabled security group.

    To configure application access policy and limit the scope of application permission

    Connect-ExchangeOnline
    

    After connecting to exchange online, Identify the registered application and mail-enabled security group to restrict the app access.

    Get Application's client id from Microsoft Entra Admin Portal or Use below PowerShell Command.

    # Connect to Microsoft Graph
    Connect-MgGraph -Scopes "Application.Read.All"
    
    # List all applications
    Get-MgApplication | Select-Object DisplayName, Id
    
    Get-MgApplication -Filter "displayName eq 'Your-App-Name'" | Select-Object DisplayName, Id
    

    enter image description here

    Now, Create mail-enabled security group will contain all mailboxes the app is allowed to access or use an existing one and identify the email address for the group.

    To create Mail-Enabled Security Group:

    # Connect to Exchange Online PowerShell
    Connect-ExchangeOnline
    
    # Create a mail-enabled security group
    New-DistributionGroup -Name "GraphAccessMailboxScope" -DisplayName "Graph Mailbox Access Scope" -PrimarySmtpAddress graphscope@yourdomain.com -Type "Security"
    
    

    To list the mail-enabled security group which is existing in your organization.

    Get-DistributionGroup -RecipientTypeDetails MailUniversalSecurityGroup
    

    enter image description here

    Now, create an application access policy

    New-ApplicationAccessPolicy -AppId <App-Id> -PolicyScopeGroupId <SmtpAddressofmail-EnabledSecurityGroup> -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group EvenUsers."
    

    enter image description here

    Replace AppId, PolicyScopeGroupId and Description.

    To Test the newly created application access policy.

    Test-ApplicationAccessPolicy -Identity user1@contoso.com -AppId <application-id>
    

    enter image description here

    Reference:

    Limit-Mailbox-Access