Hello,
we have a background windows service that checks database records and sends emails for new records regularly. That service uses EWS to connect to an Azure Exchange (https://outlook.office365.com/ews/exchange.asmx). Up to now, it uses Basic Authentication
and it works perfectly.
However, as Microsoft will phase out Basic Authentication by October this year, and for other security considerations, we want to change to OAuth authentication. To do so, I have registered the app in Azure portal and granted application level permissions
on Exchange full_access_as_app, along with admin consent. That works quite well, my service can connect and impersonate the user id (mail account) used for sending out the emails.
However, the service could impersonate any user account. That's a security concern for us, the service should only be able to access a specific mail account. Searching for solutions, I found this: https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access
Basically, this page describes powershell commands to limit an Azure app's mailbox access using the New-ApplicationAccessPolicy cmdlet. I have executed this to restrict access to user1@mydomain.com, and if I check the result using Test-ApplicationAccessPolicy
for user1@mydomain.com, it returns Granted; while for user2@mydomain.com, it returns Denied. Great!
Unfortunately, this does not seem to have any effect for my service - it still can impersonate user2@mydomain.com and e.g. send emails on user2's behalf.
Maybe I am looking at completely different things - it is the first time I am dealing with Azure apps. So to cut a long story short.. how can I restrict my service to only be able to impersonate specific accounts?
Thank you for any ptr,
Roland
