Access mailbox via Graph (MSAL.NET/Azure AD 2.0) from deamon service: administrator access should be limited to single mailboxes

0
votes

When you access a mailbox of a specific user via a background service using MS Graph, the token will expire after 90 days since MSGraph (MSAL.NET/Azure AD 2.0) does not return a refresh token (see here).

Using administrator consent should resolve this issue, but the only choice is to get access to ALL mailboxes of the organization. This is way too great a security risk for this task.

Does anybody know a middle ground for this? Is there a way to get the refresh token when using user consent, or limit admin consent to 1 mailbox?

Is this an issue that Microsoft should resolve?

1
authenticationoauth-2.0azure-active-directoryazure-ad-graph-apimsal
Which api are you requesting?Carl Zhao
Carl, the question has been answered by Allen Wu. But to have complete documentation for other users: using Microsoft.Identity.Client; AcquireTokenSilent (docs.microsoft.com/nl-nl/azure/active-directory/develop/…)Serge Settels

1 Answers

0
votes

Microsoft Graph documentation has provided a method to accomplish this requirement.

Just use the New-ApplicationAccessPolicy PowerShell cmdlet to configure access control.

New-ApplicationAccessPolicy -AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b -PolicyScopeGroupId [email protected] -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group EvenUsers."

See details from Scoping application permissions to specific Exchange Online mailboxes.