This documentation provides guidance how to configure an OAuth 2.0 application in Azure AD and how to grant application access to a defined group of Exchange mailboxes only.

Prerequisites

To perform the steps in this documentation, you need to meet the following requirements:

• Global Administrator role
• ExchangeOnlineManagement PowerShell module in version 3 or later

Creation of a mail-enabled security group

To limit app permissions to certain mailboxes only, we need to prepare a mail-enabled security in Microsoft 365 and add the desired mailboxes as group members. This makes sure that the app can only read/write/send e-mails for the mailboxes in the scope of the security group, but access to other mailboxes in the tenant is blocked.

Please use the following PowerShell script snippet to configure the mail-enabled security group:

Please adjust the [APPLICATION-NAME] parameter and the list of group members [USER1], [USER2], … to your needs before executing the commands.

Afterwards, you can verify in the Exchange Admin Center that the group has been successfully created:

Creation of an Azure AD app registration

In Azure AD, a new OAuth 2.0 app can be registered according to the following Microsoft documentation and according to the following screenshots:

Quickstart: Register an app in the Microsoft identity platform – Microsoft Entra | Microsoft Learn

As a result, you will receive the application ID / client ID (both terms are used as synonyms). The client ID will be used in the next steps of this document.

Creation of an Exchange application access policy

With an application access policy in Exchange Online, we technically restrict our Azure AD app registration to only have access to members of our defined security group. More information can be found here:

Limiting application permissions to specific Exchange Online mailboxes – Microsoft Graph | Microsoft Learn

To create this policy, please use the following PowerShell commands:

Please adjust the [APPLICATION-NAME] and [CLIENT-ID-OF-THE-APPLICATION] parameter to your needs before executing the commands.

If the script is executed, you will receive the following output as confirmation:

Afterwards, it is important to verify that the application access policy successfully restricts access to only the mailboxes in the previously created security group. For this purpose, please use the following PowerShell commands:

Please adjust the [CLIENT-ID-OF-THE-APPLICATION] parameter according to your app registration.

Use one user [USER-IN-GROUP], where the app shall have access to the mailbox, and use another user [USER-NOT-IN-GROUP], where the app shall NOT have access to the mailbox.

In the PowerShell output, you need to see that access is granted in the first case, but access is denied in the second case:

Assignment of permissions to the Azure AD app registration

Finally, you can assign the appropriate Graph API permissions to the previously created Azure AD app registration. For example, you can use the following application permissions for mail access:

• Mail.Read
• Mail.ReadBasic
• Mail.ReadBasic.All
• Mail.ReadWrite
• Mail.Send

The application permissions depend on your very own use case.

The app permissions can be configured and admin consent can be granted according to the following Microsoft documentation and according to the attached screenshots:

Get access without a user – Microsoft Graph | Microsoft Learn

Afterwards, the setup is done and you can use the app’s client id + client secret / certificate to authenticate against Microsoft Graph API and to programmatically access the mailboxes in the security group.