Comments on: Application Access policies extend support for more scenarios

By: Aaron Lenchner

Aaron Lenchner — Fri, 16 Sep 2022 19:32:17 +0000

Well, please disregard my earlier post. I just realized I had a typo which is why my tests never resulted in a Denied permission. Oops.

By: Aaron Lenchner

Aaron Lenchner — Fri, 16 Sep 2022 19:17:10 +0000

Thank you for this explanation. I’ve been doing a lot of reading up on this as we are in need of updating Cherwell from EWS to using Modern Authentication, and this is the only method they are supporting. My question, however, is with regards to the -AccessRight switch “RestrictAccess”. We do want to limit the application to only one mailbox. Per your previous article on Application Policies on Exchange Online, you state:
“If a RestrictAccess policy exists for given Application and Target Mailbox pair, the app’s access request is granted.”, and
“If a RestrictAccess policies exists for given Application, but does not match a Target Mailbox, the app’s access request is denied.”

However, in testing my RestrictAccess policy using the command, Test-ApplicationAccessPolicy, I am getting results for all mailboxes as “granted”? I haven’t tried the code above, but shouldn’t I be getting a “denied” result with a restrict policy in place? Now I’m confused if this solution works as described?

By:

Vasil Michev

The Real Person!

Author Vasil Michev acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.

Vasil Michev — Tue, 27 Apr 2021 12:27:19 +0000

In reply to Juan Dewachter.

It’s supported just fine, you can find the original blog post announcing this here: https://techcommunity.microsoft.com/t5/exchange-team-blog/application-access-policy-support-in-ews/ba-p/2110361

When the documentation will be updated, I cannot tell you. They might even not add it there, as that article is specific to the Graph API, not EWS.

By: Juan Dewachter

Juan Dewachter — Tue, 27 Apr 2021 09:37:10 +0000

In the documentation of Microsoft https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access it’s mentioned the application access policy is only supported for below permissions:

– Mail.Read
– Mail.ReadBasic
– Mail.ReadBasic.All
– Mail.ReadWrite
– Mail.Send
– MailboxSettings.Read
– MailboxSettings.ReadWrite
– Calendars.Read
– Calendars.ReadWrite
– Contacts.Read
– Contacts.ReadWrite

There is nothing mentioned about the full_access_as_app permission. Could you please confirm the application access policy is also working for the full_access_as_app permission or is this not supported?

Thank you in advance

Kind regards

Juan

By:

Vasil.Michev

The Real Person!

Author Vasil.Michev acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.

Vasil.Michev — Thu, 11 Feb 2021 18:45:38 +0000

Well, nice timing on this – the SPO folks just announced the following: https://developer.microsoft.com/en-us/graph/blogs/controlling-app-access-on-specific-sharepoint-site-collections/

Comments on: Application Access policies extend support for more scenarios

By: Aaron Lenchner

By: Aaron Lenchner

By: Vasil Michev The Real Person! Author Vasil Michev acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.

By: Juan Dewachter

By: Vasil.Michev The Real Person! Author Vasil.Michev acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.

By:

Vasil Michev

The Real Person!

Author Vasil Michev acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.

By:

Vasil.Michev

The Real Person!

Author Vasil.Michev acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.