How to restrict the skybow Exchange connector by using Role Based Access Control

Table of context

• How to find skybow Exchange connector Application ID
• Role Based Access Control for Applications
  • How to set Role Based Access Control
  • How to remove Role Based Access Control
• Application Access Policy (Legacy)
  • How to set ApplicationAccessPolicy
  • How to remove ApplicationAccessPolicy

The skybow Send email action in Scheduled/Triggered actions requires approval of the skybow Exchange Connector and set an email address of the sender. 

This article explores how to use Role Based Access Control for Applications in Exchange Online or Application Access Policy (Legacy)

How to find skybow Exchange connector Application ID

Open portal.azure.com and select Microsoft Entra ID in the left navigation. Select Enterprise applications and search for "skybow Exchange connector"

Open this application and copy the Application ID and Object ID.

Role Based Access Control for Applications

Role Based Access Control (RBAC) for applications allows administrators to restrict an application’s access to Exchange Online resources by using management scopes. Unlike Application Access Policies (AAP), RBAC is resource-based, not sender-based. This is done by creating a CustomResourceScope with a recipient filter and assigning the Exchange application role to the application using its application (client) ID.

RBAC works by combining these elements:

• Application permissions (what the app is allowed to do)
• Exchange application roles (how Exchange enforces those permissions)
• Management scopes (which mailboxes the app can access)

NOTE: When using RBAC to restrict access, the Mail.Send application permission must be removed from skybow Exchange connector every time connector is re-trusted.

How to set Role Based Access Control

1. First, you need to install the ExchangeOnlineManagement PowerShell module and connect with admin credentials. Run Windows PowerShell with administrator rights and insert the following PowerShell commands:

Install-Module ExchangeOnlineManagement
Connect-ExchangeOnline

2. Register service principal. This ensures the application is recognized as a service principal in Exchange Online.
AppId - the Identity parameter specifies the GUID of the apps.
ObjectId - the unique ID of the service principal object associated with this application

New-ServicePrincipal -AppId 4ef019f4-e6a1-4fa6-ae1c-c55f0922ff50 -ObjectId f76c8dc4-1204-4492-a8dc-5a70b16daf4f -DisplayName "skybow Exchange Connector"

3. Tag allowed mailboxes. Use a custom attribute to identify mailboxes that the application is allowed to access:

Set-Mailbox AlexW@M365x93939164.OnMicrosoft.com -CustomAttribute1 "SkybowSendEmail"

4. Create a management scope. This scope dynamically includes all mailboxes that match the filter.

New-ManagementScope -Name "Skybow-Mailbox-Scope" -RecipientRestrictionFilter "CustomAttribute1 -eq 'SkybowSendEmail'"

5. Assign the Exchange application role. This binds the Application Mail.Send role to the application only for mailboxes in the defined scope. These changes may take between 30 minutes and 2 hours to take effect

New-ManagementRoleAssignment -Name "Skybow-Mail-Send-Scoped" -App 4ef019f4-e6a1-4fa6-ae1c-c55f0922ff50 -Role "Application Mail.Send" -CustomResourceScope "Skybow-Mailbox-Scope"

In this case, if you set an email address of the sender different from the defined RBAC management scope you will receive an error in the history logs.

Use the Get-ManagementRoleAssignment cmdlet to retrieve specific Exchange role assignment.

Get-ManagementRoleAssignment -Identity "Skybow-Mail-Send-Scoped"

How to remove Role Based Access Control

If you no longer want to restrict the skybow Exchange connector using RBAC, you must remove the Exchange role assignment and (optionally) the management scope and mailbox attributes.

NOTE: After removing Exchange role assignment and you must re-trust skybow Exchange connector

This cmdlet disables RBAC enforcement for the application

Remove-ManagementRoleAssignment -Identity "Skybow-Mail-Send-Scoped"

This cmdlet removes management scope

Remove-ManagementScope -Identity "Skybow-Mailbox-Scope"

This cmdlet clears the custom attribute

Set-Mailbox AlexW@M365x93939164.OnMicrosoft.com -CustomAttribute1 $null

Application Access Policy (Legacy)

In order to limit access to a specific mailbox you can use application access policies (legacy). The New-ApplicationAccessPolicy cmdlet in PowerShell provides administrators with a flexible and efficient way to implement access control policies for applications.

How to set ApplicationAccessPolicy

1. First, you need to install the ExchangeOnlineManagement PowerShell module and connect with admin credentials. Run Windows PowerShell with administrator rights and insert the following PowerShell commands:

Install-Module ExchangeOnlineManagement
Connect-ExchangeOnline

2. Then you can restrict access using the New-ApplicationAccessPolicy cmdlet. This requires the Application id of the app registration, permissions you want to set, and the email address(es) you want to limit to. These changes may take up to 30 minutes.

Note: for the case of more than one email you can create mail-enabled security group and pass email address of the group

New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId "4ef019f4-e6a1-4fa6-ae1c-c55f0922ff50" -PolicyScopeGroupId "AlexW@M365x69839084.OnMicrosoft.com" -Description "Restrict app permissions to allow access to the mailbox that's specified by the PolicyScopeGroupID parameter"

AccessRight - this parameter specifies the restriction type that you want to assign in the application access policy. Valid values are: RestrictAccess or DenyAccess
AppId - the Identity parameter specifies the GUID of the apps to include in the policy.
Description - this parameter specifies a description for the policy
PolicyScopeGroupID - this parameter specifies the recipient to define in the policy

In this case if you set an email address of the sender different from application policy you will receive an error in the history logs.

Use the Get-ApplicationAccessPolicy cmdlet to view the list of application access policies.

Get-ApplicationAccessPolicy | Format-List Identity,Description,ScopeName,AccessRight,AppID

How to remove ApplicationAccessPolicy

You can use the Remove-ApplicationAccessPolicy cmdlet to remove application access policies. These changes may take up to 30 minutes

Remove-ApplicationAccessPolicy -Identity "596ade3a-1abe-4c5b-b7d5-a169c4b05d4a\7a774f0c-7a6f-11e0-85ad-07fb4824019b:S-1-5-21-724521725-2336880675-2689004279-1821338;8b6ce428-cca2-459a-ac50-d38bcc932258"

Identity - this parameter specifies the application access policy that you want to remove