= Azure  O365 App MailBox Access =

 * How to give a Azure Entra application access to a specific O365 mailbox.

== Highlevel steps ==

 1. Links
    * From: https://techcommunity.microsoft.com/discussions/azure/limiting-application-permissions-to-specific-exchange-online-mailboxes/4339208
    * https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac#supported-permissions-and-other-resources


 1. Create Entra/AD app
 2. Give the app the API Permission: Exchange Web Services permission scope: ```full_access_as_app```
    * This permission allows the app to access all mailboxes, but the scope will be restricted in the next step.
 3. Open Exchange online !PowerShell(pwsh)
    * {{{ Connect-ExchangeOnline }}}
 4. Create a security group in Azure AD and add the mailbox owner(s) to it. For example:
    * e.g. Group Name: {{{ MailboxAccessGroup }}}
 5. Assign the application access policy: {{{
New-ApplicationAccessPolicy -AppId "<AppId>" -PolicyScopeGroupId "MailboxAccessGroup" -AccessRight RestrictAccess -Description "Restrict app access to specific mailboxes"
}}}
 6. {{{ Get-ApplicationAccessPolicy }}}



== Example ==

{{{
Application (client) ID: 0b......-....-....-....-..........3c

Enterprise APP Id : 9f......-....-....-....-.........b9

ObjectId: 29......-....-....-....-..........df

Add-MailboxPermission -Identity "TestStatementReconciliation@example.co.nz" -User "0b......-....-....-....-..........3c" -AccessRights FullAccess -InheritanceType All -AutoMapping $false

Get-AzADServicePrincipal -Filter "appId eq '0b......-....-....-....-..........3c'" | Select-Object AppId, ObjectId

# Exchange

Connect-ExchangeOnline -UserPrincipalName <ADM@example.co.nz> -ShowProgress $true

# New-ServicePrincipal -AppId "your-app-client-id" -ServiceId "your-service-principal-object-id"

New-ServicePrincipal -AppId "0b......-....-....-....-..........3c" -ServiceId "9f......-....-....-....-...........b9" -DisplayName "example-reconciliation-dev" 

DisplayName                              ObjectId                                                                                  AppId

-----------                              --------                                                                                  -----

example-reconciliation-dev 9f......-....-.....-....-.........b9                                                      0b......-....-....-....-..........3c

#

Get-ServicePrincipal | Where-Object { $_.AppId -eq "your-app-client-id" }

Add-MailboxPermission -Identity "shared-mailbox@contoso.com" -User "your-service-principal-object-id" -AccessRights FullAccess -InheritanceType All -AutoMapping $false

Add-MailboxPermission -Identity "TestStatementReconciliation@example.co.nz" -User "9f......-....-....-....-..........b9" -AccessRights FullAccess -InheritanceType All -AutoMapping $false

Identity             User                 AccessRights               IsInherited Deny

06......-....-....-… S-1-5-21-2426222919… {FullAccess} 

 
}}}