Restricting EWS client application to impersonate only one mail account RRS feed

  • Frage

  • Hello,

    we have a background windows service that checks database records and sends emails for new records regularly. That service uses EWS to connect to an Azure Exchange ( Up to now, it uses Basic Authentication and it works perfectly.

    However, as Microsoft will phase out Basic Authentication by October this year, and for other security considerations, we want to change to OAuth authentication. To do so, I have registered the app in Azure portal and granted application level permissions on Exchange full_access_as_app, along with admin consent. That works quite well, my service can connect and impersonate the user id (mail account) used for sending out the emails.

    However, the service could impersonate any user account. That's a security concern for us, the service should only be able to access a specific mail account. Searching for solutions, I found this:

    Basically, this page describes powershell commands to limit an Azure app's mailbox access using the New-ApplicationAccessPolicy cmdlet. I have executed this to restrict access to, and if I check the result using Test-ApplicationAccessPolicy for, it returns Granted; while for, it returns Denied. Great!

    Unfortunately, this does not seem to have any effect for my service - it still can impersonate and e.g. send emails on user2's behalf.

    Maybe I am looking at completely different things - it is the first time I am dealing with Azure apps. So to cut a long story short.. how can I restrict my service to only be able to impersonate specific accounts?

    Thank you for any ptr,


    Freitag, 21. Februar 2020 09:32


  • To answer my own question: After some more digging around, it turns out that these are indeed two different animals.

    EWS access is legacy only and apparently, there is no way of restricting access for an app-only (daemon, service) Azure app to certain mailboxes.

    Instead, it is recommended to use Microsoft Graph, and use the permission Mail.Send. After a bit of reading and re-writing code, this works quite well and the aforementioned cmdlets to restrict access to certain user accounts works well with this, too.

    As a reference if anyone comes across this: These links were quite helpful:

    Freitag, 21. Februar 2020 12:19