Restrict Azure App Registration E-Mail Permission

GraphAPI Send.Mail permission without restriction is dangerous, because it allows anyone with the app registration credentials (Tenand ID, Client ID and Client Secret) to send e-mail, as any user in the company – for example the CEO.
To fix that security hole, a so called E-mail Enabled Security Group should be created and used in an Application Access Policy, for the Azure App Registration.
Below follows a guide for how this can be achieved.

Create E-mail Enabled Security Group

Go to Microsoft 365 Portal

Create E-mail enabled security group, under Groups->Active Groups. Note that the e-mail address of the security group is not important. It will not be used as sender address or be visible anywhere to the receiver.

../../../_images/addgroup01.png

../../../_images/addgroup02.png

../../../_images/addgroup03.png

Wait for group to show up under active groups – it can take a few hours.

Once it shows up, add the e-mail address to it, that you want to be used as e-mail sender. This is the e-mail address that will be visible for the recipients, as sender address. The e-mail address can be a normal user’s mailbox, or it can be a shared mail box – which can be desirable, if you don’t want a dedicated e-mail account just for this functionality.

../../../_images/addgroup04.png

../../../_images/addgroup05.png

../../../_images/addgroup06.png

../../../_images/addgroup07.png

../../../_images/addgroup08.png

../../../_images/addgroup09.png

Install Exchange Online PowerShell V2 module

You can skip this part if you already have version 2.0.4 (or newer) of ExchangeOnlineManagement PowerShell module installed on your computer.

Go to https://www.powershellgallery.com and search for ExchangeOnlineManagement.

Install the latest version available for 2.0.4 – prerelease if necessary.

If current stable version is 2.0.4 or newer, then run the following:

Install-Module -Name ExchangeOnlineManagement

If version 2.0.4 is only available in prerelease, then note down the full version and run the following, replacing <full version number>:

Install-Module -Name ExchangeOnlineManagement -RequiredVersion <full version number> -AllowPrerelease

Apply Application Access Policy to Azure App Registration

Open PowerShell and connect to Exchange Online, replacing <admin principal name> with the correct values:

Connect-ExchangeOnline -UserPrincipalName <admin principal name>

Create new application access policy, limiting the App Registration to only be able to send e-mails for users that are members of the totalviewtimesendemail e-mail security group. Replace <Azure App Registration Client/App ID> and <your e-mail domain name> with the correct values:

New-ApplicationAccessPolicy -AppId <Azure App Registration Client/App ID> -PolicyScopeGroupId totalviewtimesendemail@<your e-mail domain name> -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group totalviewtimesendemail."

Verification 1

To test if the created policy is taking effect, you can try running the following command, with different e-mail addresses in the domain:

Test-ApplicationAccessPolicy -Identity <test e-mail address> -AppId <Azure App Registration Client/App ID>

../../../_images/addgroup10.png

Verification 2

  1. Open TotalviewExchange365.exe from <Totalview Installation Folder>\InstallFiles\Exchange365

  2. Put in the Tenant ID, Client ID and Client Secret values and press “Test without Totalview”

  3. Go to Send E-Mail tab and try sending an e-mail from an account that should not be permitted to send e-mails. It should fail.

  4. Go to Send E-Mail tab and try sending an e-mail from an account that should be permitted to send e-mails. It should work.

If you experience that any of the last two steps are not working, try waiting two hours and retry. It can take a few hours for security restrictions to be enforced.