Only allow accessing emails from users assigned to Azure Enterprise Application using Confidential Client Credential Flow

Question

I have an application where I want to send and read emails for a specific list of users assigned to an Azure Enterprise Application using the MS Graph API and the Confidential Client Credential flow. I do not know which users these will be initially, but I can query them through the service principals endpoint for the application and let the application user pick which one(s) to use.

I understand that I need to add the Application level User.Read.All, Mail.Send, and Mail.Read API permissions to the App registration and grant admin consent for them, however after retrieving the confidential client token and calling the https://graph.microsoft.com/v1.0/users/{user}/sendMail endpoint with it, I find it will still let me send from any user in the domain and not just the ones assigned to the application. The Assignment required setting in the enterprise application properties doesn't appear to affect this.

Is there a way to ensure the endpoint cannot be used to send/read user emails that are not assigned to the enterprise application?

Answer 1

I created an Azure AD application and granted API permissions like below:

And set Assignment required as YES in the Enterprise application:

For sample added ruk user:

Now I generated access token using Client Credentials flow by using below parameters via Postman:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/.default
grant_type:client_credentials

By using the above access token, I tried to send mail by another user which is not assigned to the Enterprise application. And I am able to send mail successfully:

POST https://graph.microsoft.com/v1.0/users/[email protected]/sendMail
Content-type: application/json

{
  "message": {
    "subject": "Meet for lunch?",
    "body": {
      "contentType": "Text",
      "content": "The new cafeteria is open."
    },
    "toRecipients": [
      {
        "emailAddress": {
          "address": "[email protected]"
        }
      }
    ],
    "ccRecipients": [
      {
        "emailAddress": {
          "address": "[email protected]"
        }
      }
    ]
  },
  "saveToSentItems": "false"
}

Note that: If you are setting Assignment required to YES then it works for only User Sign-in scenario or User interactive flow not for Confidential Client Credential Flow as there is no user interaction involved.

For Client Credential Flow/Application identity scenario, you must configure Application Access Policy like below:

Connect-ExchangeOnline

New-ApplicationAccessPolicy -AppId ClientID -PolicyScopeGroupId [email protected] -AccessRight RestrictAccess -Description "test"

You can test the policy against other users:

Test-ApplicationAccessPolicy -Identity [email protected] -AppId ClientID

Test-ApplicationAccessPolicy -Identity [email protected] -AppId ClientID

Now only the ruk user will be able to send mail using the access token generated by Client Credential flow for the application.

• You can create the group and add users you want to access application and configure the policy by passing the group id.
• If you do not want to configure application access policy, then set assignment required to YES and make use of user interactive flow.

References:

How to allow Azure Ad App to access information only for certain users? - Microsoft Q&A by krish-gh

New-ApplicationAccessPolicy (ExchangePowerShell) | Microsoft

Answer 2

I would prefer another way than assigning users to the enterprise application.

There is an endpoint for role assignment (currently only in beta) for Exchange provider.

With this endpoint you can define that your specific enterprise app will be able to send emails for a group of users.

Prerequisite is to create an administrative unit and add those users as members of this administrative unit.

1. Create administrative unit

POST /v1.0/directory/administrativeUnits

2. Add members to administrative unit

POST /v1.0/directory/administrativeUnits/{id}/members/$ref

3. Find id of role definition to send mail as application

GET /beta/roleManagement/exchange/roleDefinitions?$filter=displayName eq 'Application Mail.Send'

4. Create role assignment for your enterprise app but limit the role for a specific administrative unit

POST /beta/roleManagement/exchange/roleAssignments
{
    "principalId": "/ServicePrincipals/{your_enterprise_app_id}",
    "roleDefinitionId": "{role_definition_id_for_mail_send}",
    "directoryScopeId": "/AdministrativeUnits/{administrative_unit_id}",
    "appScopeId": null
}

It can take from 30 minutes to 2 hours until the role is applied in Azure.

Repeat point 3. and 4. for Mail.Read (or Mail.ReadBasic)

5. Find id of role definition to read mails as application

GET /beta/roleManagement/exchange/roleDefinitions?$filter=displayName eq 'Application Mail.Read'

6. Create role assignment for your enterprise app but limit the role for a specific administrative unit

POST /beta/roleManagement/exchange/roleAssignments
{
    "principalId": "/ServicePrincipals/{your_enterprise_app_id}",
    "roleDefinitionId": "{role_definition_id_for_mail_read}",
    "directoryScopeId": "/AdministrativeUnits/{administrative_unit_id}",
    "appScopeId": null
}

The advantages:

• no need to add Mail.Send, Mail.Read permissions for the app in Azure (Entra) portal
• user is removed from administrative unit => app is not be able to send/read emails of that user
• user is added to an administrative unit => app is be able to send/read emails
• limited to a specific set of users

Resource:

RBAC for Exchange Provider Preview