For security reasons, you should not grant an application full read, write, or send access to all mailboxes in Microsoft 365. Instead, you want to limit it to a selected group, department, or mailbox. That’s when you set up Role Based Access Control (RBAC) and define the exact permissions your applications need. In this article, you will learn how to configure RBAC for Applications in Exchange Online.
Microsoft Entra ID application
Create an application in Microsoft Entra ID before you follow the steps below:
- Sign in to Microsoft Entra admin center.
- Click Entra ID > App registrations.
- Select the application from the list.
- Click on the Application name under Managed application in local directory.
- Copy both the Application ID and Object ID values and paste them into Notepad, as you will need them later when configuring RBAC for Applications.
Supported application roles
The supported protocols are MS Graph and EWS. You can clearly see that you have more application role options with the MS Graph protocol. With the EWS protocol, there is only one application role available for use.
Note: Microsoft will deprecate EWS API support in Exchange Online on October 1, 2026. If your application only supports EWS access, then you can set it up for the time being. However, you should inform the application developer that they need to add Microsoft Graph support before that end date.
| Name | Protocol | Permission List | Description |
|---|---|---|---|
| Application Mail.Read | MS Graph | Mail.Read | Allows the app to read email in all mailboxes without a signed-in user. |
| Application Mail.ReadBasic | MS Graph | Mail.ReadBasic | Allows the app to read email except the body, previewBody, attachments, and any extended properties in all mailboxes without a signed-in user |
| Application Mail.ReadWrite | MS Graph | Mail.ReadWrite | Allows the app to create, read, update, and delete email in all mailboxes without a signed-in user. Doesn’t include permission to send mail. |
| Application Mail.Send | MS Graph | Mail.Send | Allows the app to send mail as any user without a signed-in user. |
| Application MailboxSettings.Read | MS Graph | MailboxSettings.Read | Allows the app to read user’s mailbox settings in all mailboxes without a signed-in user. |
| Application MailboxSettings.ReadWrite | MS Graph | MailboxSettings.ReadWrite | Allows the app to create, read, update, and delete user’s mailbox settings in all mailboxes without a signed-in user. |
| Application Calendars.Read | MS Graph | Calendars.Read | Allows the app to read events of all calendars without a signed-in user. |
| Application Calendars.ReadWrite | MS Graph | Calendars.ReadWrite | Allows the app to create, read, update, and delete events of all calendars without a signed-in user. |
| Application Contacts.Read | MS Graph | Contacts.Read | Allows the app to read all contacts in all mailboxes without a signed-in user. |
| Application Contacts.ReadWrite | MS Graph | Contacts.ReadWrite | Allows the app to create, read, update, and delete all contacts in all mailboxes without a signed-in user. |
| Application Mail Full Access | MS Graph | Mail.ReadWrite, Mail.Send | Allows the app to create, read, update, and delete email in all mailboxes and send mail as any user without a signed-in user. |
| Application Exchange Full Access | MS Graph | Mail.ReadWrite, Mail.Send, MailboxSettings.ReadWrite, Calendars.ReadWrite, Contacts.ReadWrite | Without a signed-in user: Allows the app to create, read, update, and delete email in all mailboxes and send mail as any user. Allows the app to create, read, update, and delete user’s mailbox settings in all mailboxes. Allows the app to create, read, update, and delete events of all calendars. Allows the app to create, read, update, and delete all contacts in all mailboxes. |
| Application EWS.AccessAsApp | EWS | EWS.AccessAsApp | Allows the app to use Exchange Web Services with full access to all mailboxes. |
Configure RBAC for Exchange Online mailbox
- Install Exchange Online PowerShell.
- Connect to Exchange Online PowerShell.
Connect-ExchangeOnline- Create a new service principal.
New-ServicePrincipal -AppId "1da36296-1c92-4892-8510-386d43528d74" -ObjectId "f9a1fd91-d239-433c-93c5-bc0002e1153f" -DisplayName "AquaSoft"The output appears.
DisplayName ObjectId AppId
----------- -------- -----
AquaSoft f9a1fd91-d239-433c-93c5-bc0002e1153f 1da36296-1c92-4892-8510-386d43528d74- Create a management scope and target only the recipients in the HR department.
New-ManagementScope -Name "HumanResources" -RecipientRestrictionFilter "Department -eq 'HR'"To target the HR mailbox.
New-ManagementScope -Name "HumanResources" -RecipientRestrictionFilter "UserPrincipalName -eq 'HR@exoip.com'"The output appears.
Name ScopeRestrictionType Exclusive RecipientRoot RecipientFilter ServerFilter
---- -------------------- --------- ------------- --------------- ------------
HumanResources RecipientScope False UserPrincipalName -eq 'HR@exoip.com'- Get the available role name that you want to assign from the table at the top. However, you can also find it with PowerShell.
Get-ManagementRole | Where-Object { $_.Name -like "Application*" } | Format-Table Name, DescriptionThe output appears.
Name Description
---- -----------
ApplicationImpersonation This role enables applications to impersonate users in an organization in order to perform tasks on behalf of the user.
Application Mail.Read Allows the app to read email in all mailboxes without a signed-in user
Application Mail.ReadBasic Allows the app to read email except the body, previewBody, attachments, and any extended properties in all mailboxes withou…
Application Mail.ReadWrite Allows the app to create, read, update, and delete email in all mailboxes without a signed-in user. Does not include permis…
Application Mail.Send Allows the app to send mail as any user without a signed-in user
Application MailboxSettings.Read Allows the app to read user's mailbox settings in all mailboxes without a signed-in user
Application MailboxSettings.ReadWrite Allows the app to create, read, update, and delete user's mailbox settings in all mailboxes without a signed-in user
Application Calendars.Read Allows the app to read events of all calendars without a signed-in user
Application Calendars.ReadWrite Allows the app to create, read, update, and delete events of all calendars without a signed-in user
Application SMTP.SendAsApp Allows the app to use SMTP protocol to submit mail in all mailboxes without a signed-in user
Application Contacts.Read Allows the app to read all contacts in all mailboxes without a signed-in user
Application Contacts.ReadWrite Allows the app to create, read, update, and delete all contacts in all mailboxes without a signed-in user
Application Mail Full Access Allows the app to create, read, update, and delete email in all mailboxes as well as send mail as any user without a signed…
Application Exchange Full Access Without a signed-in user: Allows the app to create, read, update, and delete email in all mailboxes as well as send mail as…
Application EWS.AccessAsApp Allows the app to use Exchange Web Services with full access to all mailboxes- Create role assignment. In this example, we want to grant read access to mail.
New-ManagementRoleAssignment -App "1da36296-1c92-4892-8510-386d43528d74" -Role "Application Mail.Read" -CustomResourceScope "HumanResources"Note: If you like to add multiple management roles to a management role assignment, you must run the New-ManagementRoleAssignment command again and add the required role assignment.
If you want EWS role assignment, then you have to add the EWS access app role.
New-ManagementRoleAssignment -App "1da36296-1c92-4892-8510-386d43528d74" -Role "Application EWS.AccessAsApp" -CustomResourceScope "HumanResources"- Verify the role assignment.
Get-ManagementRoleAssignment | Where-Object { $_.App -eq "f9a1fd91-d239-433c-93c5-bc0002e1153f"} | Format-Table IdentityIf you need more information in the output.
Get-ManagementRoleAssignment | Where-Object { $_.App -eq "f9a1fd91-d239-433c-93c5-bc0002e1153f"} | Format-ListThe output appears.
DataObject : Application Mail.Read-f9a1fd91-d239-433c-93c5-bc0002e1153f
User :
App : f9a1fd91-d239-433c-93c5-bc0002e1153f
AssignmentMethod : Direct
Identity : Application Mail.Read-f9a1fd91-d239-433c-93c5-bc0002e1153f
EffectiveUserName : f9a1fd91-d239-433c-93c5-bc0002e1153f
AssignmentChain :
RoleAssigneeType : ServicePrincipal
RoleAssignee : f9a1fd91-d239-433c-93c5-bc0002e1153f
Role : Application Mail.Read
RoleAssignmentDelegationType : Regular
CustomRecipientWriteScope :
CustomResourceScope : HumanResources
CustomConfigWriteScope :
RecipientReadScope : Organization
ConfigReadScope : None
RecipientWriteScope : CustomRecipientScope
ConfigWriteScope : None
Enabled : True
RoleAssigneeName : f9a1fd91-d239-433c-93c5-bc0002e1153f
Id : Application Mail.Read-f9a1fd91-d239-433c-93c5-bc0002e1153f
IsValid : True
ExchangeVersion : 0.11 (14.0.550.0)
Name : Application Mail.Read-f9a1fd91-d239-433c-93c5-bc0002e1153f
DistinguishedName : CN=Application Mail.Read-f9a1fd91-d239-433c-93c5-bc0002e1153f,CN=Role
Assignments,CN=RBAC,CN=Configuration,CN=exoip365.onmicrosoft.com,CN=ConfigurationUnits,DC=EURP195A003,DC=PROD,DC=OUTLOOK,DC=COM
ObjectCategory : EURP195A003.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Role-Assignment
ObjectClass : {top, msExchRoleAssignment}
WhenChanged : 01/10/2025 10:44:28
WhenCreated : 01/10/2025 10:44:28
WhenChangedUTC : 01/10/2025 08:44:28
WhenCreatedUTC : 01/10/2025 08:44:28
ExchangeObjectId : 7c3767ab-89a2-4e6f-b74b-3b3fc5b6729e
OrganizationalUnitRoot : exoip365.onmicrosoft.com
OrganizationId : EURP195A003.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/exoip365.onmicrosoft.com -
EURP195A003.PROD.OUTLOOK.COM/ConfigurationUnits/exoip365.onmicrosoft.com/Configuration
Guid : 7c3767ab-89a2-4e6f-b74b-3b3fc5b6729e
OriginatingServer : AM0P195A003DC03.EURP195A003.PROD.OUTLOOK.COM
ObjectState : UnchangedRole Based Access Control (RBAC) for the application is successfully set up.
Test RBAC for Applications
Go to the application in Microsoft Entra ID and check that no permissions are assigned.
Verify that the RBAC for Applications configuration is set up correctly.
Test-ServicePrincipalAuthorization -Identity "1da36296-1c92-4892-8510-386d43528d74" -Resource "HR@exoip.com" | Format-TableThe output shows the value True or False for the InScope attribute.
This means that permissions are assigned.
RoleName GrantedPermissions AllowedResourceScope ScopeType InScope
-------- ------------------ -------------------- --------- -------
Application Mail.Read Mail.Read HumanResources CustomRecipientScope TrueThis means that permissions are not assigned.
RoleName GrantedPermissions AllowedResourceScope ScopeType InScope
-------- ------------------ -------------------- --------- -------
Application Mail.Read Mail.Read HumanResources CustomRecipientScope FalseThat’s it!
Read more: Export Entra ID app registrations Certificates and Secrets expiry report »
Conclusion
You learned how to configure RBAC for Applications in Exchange Online. First, create a new service principal. Next, define a custom management scope to restrict access to specific recipients. Then, assign the required management roles to the service principal within that scope to control what the application can manage. Finally, test the configuration to ensure the application only has the intended permissions.
Did you enjoy this article? You may also like How to remove permissions from applications in Microsoft Entra. Don’t forget to follow us and share this article.