Skip to main content
Version: 2.0.1 (preview)

Exchange Application Access Policies should be configured

Descriptionโ€‹

Applications that use Microsoft Graph API permissions for Exchange Online (Mail, Calendar, Contacts) can access all mailboxes in your organization by default. This presents a significant security risk as a compromised application could access sensitive data across all mailboxes.

Application access policies help mitigate this risk by:

  • Restricting which mailboxes an application can access
  • Limiting the scope of potential data breaches
  • Enforcing the principle of least privilege

The following Microsoft Graph permissions require application access policies:

Mail Access:

  • Mail.Read
  • Mail.ReadBasic
  • Mail.ReadBasic.All
  • Mail.ReadWrite
  • Mail.Send

Mailbox Settings:

  • MailboxSettings.Read
  • MailboxSettings.ReadWrite

Calendar Access:

  • Calendars.Read
  • Calendars.ReadWrite

Contacts Access:

  • Contacts.Read
  • Contacts.ReadWrite

Note: Only the listed permissions are restricted by the application access policy.

How to fixโ€‹

  1. Connect to Exchange Online:
Connect-ExchangeOnline
  1. Define variables for your application:
# Get these values from your Application Registration
$AppID = "<your-app-id>"  # e.g. "0a3ad682-b031-416d-86c2-bf263f8b46a3"
$GroupName = "AAP_$AppID"  # example naming convention for clarity
$Description = "Restrict this app to members of distribution group"
  1. Create a mail-enabled security group for policy scope:
# Create group and hide from address list
$DGroup = New-DistributionGroup -Name $GroupName -Type Security
Start-Sleep -Seconds 5  # Wait for group creation to propagate
Set-DistributionGroup -Identity $DGroup.WindowsEmailAddress -HiddenFromAddressListsEnabled $true
  1. Create the application access policy:
New-ApplicationAccessPolicy -AppId $AppID `
                          -PolicyScopeGroupId $DGroup.WindowsEmailAddress `
                          -AccessRight RestrictAccess `
                          -Description $Description
  1. Add members to the security group:
Add-DistributionGroupMember -Identity $GroupName -Member user@contoso.com
  1. Verify the policy:
# List all policies
Get-ApplicationAccessPolicy

# Test for specific user
Test-ApplicationAccessPolicy -Identity user@contoso.com -AppId $AppID

Learn moreโ€‹