Restrict Azure App Registration E-Mail Permission

GraphAPI Send.Mail permission without restriction is dangerous, because it allows anyone with the app registration credentials (Tenand ID, Client ID and Client Secret) to send e-mail, as any user in the company - for example the CEO.

To fix that security hole, a so called Mail Enabled Security Group should be created and used in an Application Access Policy, for the Azure App Registration.

Below follows a guide for how this can be achieved.

Create Mail Enabled Security Group

Go to Microsoft 365 Admin Center.

Create a mail enabled security group, under Teams & groups -> Active teams & groups.

../../../_images/addgroup01.png

../../../_images/addgroup02.png

../../../_images/addgroup03.png
Add the e-mail account that will be used for sending e-mails:
../../../_images/addgroup04.png

../../../_images/addgroup05.png

../../../_images/addgroup06.png

../../../_images/addgroup07.png

N.B. that it can take a few hours until the created group to show up under your Active teams & groups list.

Install Exchange Online Management PowerShell module

To test if you have ExchangeOnlineManagement PowerShell module, run the following command:

Get-InstalledModule -Name ExchangeOnlineManagement

If not installed, then run the following command to install:

Install-Module -Name ExchangeOnlineManagement

If already installed, we recommend to check for update, using the following command:

Update-Module -Name ExchangeOnlineManagement

Newest stable version number can be found on PowerShell Gallery.

Apply Application Access Policy to Azure App Registration

Open PowerShell to connect to Exchange Online. Replace <admin principal name> with the e-mail address used for logging in to Office365 Admin Portal in previous step.

Connect-ExchangeOnline -UserPrincipalName <admin principal name>
../../../_images/applyapplicationaccesspolicy01.png

Create new application access policy, limiting the App Registration to only be able to send e-mails for users that are members of the totalviewtimesendemail e-mail security group. Replace <Azure App Registration Client/App ID> and <Mail enabled security group e-mail address> with the correct values:

New-ApplicationAccessPolicy -AppId <Azure App Registration Client/App ID> -PolicyScopeGroupId <Mail enabled security group e-mail address> -AccessRight RestrictAccess -Description "Restrict this azure app registration to only be able to send e-mails as members of mail enabled distribution group"

Azure App Registration Client/App ID value can be obained from the header of the Azure App Registration page for the app registration. Value is always a GUID.

Mail enabled security group e-mail address value is the same as the e-mail address for the mail enabled security group created in previous step.

../../../_images/applyapplicationaccesspolicy02.png

Verification 1

To test if the created policy is taking effect, you can try running the following command, with different e-mail addresses in the domain:

Test-ApplicationAccessPolicy -Identity <test e-mail address> -AppId <Azure App Registration Client/App ID>

../../../_images/apppolicyverification01.png ../../../_images/apppolicyverification02.png

Verification 2

  1. Open TotalviewExchange365.exe from <Totalview Installation Folder>\InstallFiles\Exchange365

  2. Put in the Tenant ID, Client ID and Client Secret values and press “Test without Totalview”

  3. Go to Send E-Mail tab and try sending an e-mail from an account that should not be permitted to send e-mails. It should fail.

  4. Go to Send E-Mail tab and try sending an e-mail from an account that should be permitted to send e-mails. It should work.

If you experience that any of the last two steps are not working, try waiting two hours and retry. It can take a few hours for security restrictions to be enforced.