You are viewing limited content. For full access, please sign in.

Question

Question

LF Cloud: Email Archive Limiting Application Permissions

Laserfiche Cloud Import Agent
Updated July 21
asked on July 18 Show version history

Hi all,

We're trying to setup the email archive profile and we're on step 7c.

I'm inquiring to see if someone has setup the limits for the application permissions and could share what it should be. We really just want Laserfiche Email Archive profile to access one shared mailbox and not give it FULL mail.Read and mail.ReadWrite access. 

Limit application permissions to specific Exchange Online mailboxes


Thanks!

0 0

Replies

replied on July 21

I asked this same question before and your answer is in the link you posted. 

https://answers.laserfiche.com/questions/225390/Configuring-Microsoft-Azure-for-Email-Archive-without-using-Application-permissions

RBAC for Applications in Exchange Online allows admins to grant permissions to an application that's independently accessing data in Exchange Online. This grant can be paired with a scope of access (resource scope) to specify which mailboxes an app can access.

1 0
replied on July 21

Email Archive needs mail.read to read the contents of the inbox and mail.readwrite to process messages, mark them as read and/or move them to a new folder to indicate they've been processed.

What are the concerns you are trying to address? Mail.ReadWrite does not grant Email Archive the ability to send email (not that Email Archive ever attempts to send email).

0 0
replied on July 21

Can you provide me specific ExO v3 Powershell lines to limit permissions to a specific mailbox as Microsoft does not include such an example in their documentation?

0 0
replied on July 21

Management scopes allow an admin to scope a set of mailboxes based on the properties of these objects. Refer to the Management Scope documentation for addremoveset.

 

It gives you an example here for "Configuring calendar read access for Canadian employees using a management scope":

New-ServicePrincipal -AppId 71487acd-ec93-476d-bd0e-6c8b31831053 -ObjectId 6233fba6-0198-4277-892f-9275bf728bcc -DisplayName "example"

DisplayName   ObjectId                              AppId
-----------   ---------                              -----
example       6233fba6-0198-4277-892f-9275bf728bcc   71487acd-ec93-476d-bd0e-6c8b3183105

New-ManagementScope -Name "Canadian employees" -RecipientRestrictionFilter "CustomAttribute1 -eq '012332'"

Name                 ScopeRestrictionType      Exclusive      RecipientRoot          RecipientFilter 
----                 --------------------      ---------      -------------          --------------- 
Canadian employees    RecipientScope            False                                CustomAttribute1 -eq '012332'

New-ManagementRoleAssignment -App 6233fba6-0198-4277-892f-9275bf728bcc -Role "Application Calendars.Read" -CustomResourceScope "Canadian Employees"

Name                      Role                 RoleAssigneeName       RoleAssigneeType        AssignmentMethod
----                      ----                 ----------------       ----------------        ----------------
Application Calendar...   Application Ca...    6233fba6-0198-...      ServicePrincipal        Direct

From this example, when you're adding the mail.Read and mail.ReadWrite role assignments, you'll need to have already created a management scope and you specify that scope during the role assignment.

1 0
replied on July 21 Show version history

Hi Jasciel,

 

Please refer to Role Based Access Control for Applications in Exchange Online | Microsoft Learn to limit the smaller permission for Azure application (Kevin provided examples). If using this way, Azure app for Email archive does not require the step from 12 to 16 under 7.c for aplication permision of Microsoft Graph. It needs to follow the Microsoft online help to limit specific mailbox to have mail.Read and mail.ReadWrite role assignment.

 

Regards,

Qinmei

 

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...