Comments on: Migrate from EWS Application Access Policy to RBAC for Applications

By: Ingo

Ingo — Sun, 14 Jul 2024 15:58:08 +0000

In reply to Chandan.

Hi Chandan,
sorry for the delay!
Of course you can use your existing ServicePrincipals in EXO. Just create your desired RoleAssignment.
Ciao,
Ingo

By: Chandan

Chandan — Thu, 11 Jul 2024 15:55:09 +0000

Hello @ingo – In your article you have mentioned to “Create a replacement app in Entra ID”. Do we have to do this for all impacted apps ? is there any way we can create service principal for existing apps ?
Also could you please confirm why app owners have to change authentication to client credentials flow ?

By: Ingo

Ingo — Tue, 07 May 2024 06:33:52 +0000

Hi Bryan,
this is only supported for IMAP/POP and SMTP as outlined here:
https://learn.microsoft.com/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth?WT.mc_id=M365-MVP-5001727
I get your point for a single or few mailboxes. However, think about it: you can’t do a reverse search like “EXO, please give me all mailboxes this specific SPN has access to.” With role assignments and scopes you’re better in terms of governance and insights.
Ciao,
Ingo

By: Bryan

Bryan — Fri, 03 May 2024 17:52:01 +0000

Is it possible to utilize the Add-MailboxPermission cmdlet to leverage access to the mailbox for the Service Principal?

That is, rather than going through with utilizing management scopes and management roles, would assigning mailbox delegated permissions be enough to grant access? Or would that still expose the rest of the mailboxes in the org to the app? Given that the biggest reason to utilize Application Access Policies was to reduce the access from all mailboxes in Exchange Online to the Graph App Registration.