Implementing Role-Based Access Control (RBAC) for Microsoft Graph Applications

This article explains how to configure Role Based Access Control (RBAC) for Microsoft Graph applications in Exchange Online. Application RBAC allows you to limit what an application can access, rather than granting tenant-wide permissions.

Purpose

Use Exchange Online application RBAC to restrict Microsoft Graph application access to specific Exchange resources such as individual mailboxes or mailbox groups.

Prerequisites

The following are required before starting:

• An application registered in Microsoft Entra ID
• A service principal for the application
• Exchange Online administrator permissions
• Exchange Online PowerShell module installed

Identify the Application Service Principal

RBAC assignments are applied to the application’s service principal. You will need the following values:

• Application (Client) ID
• Service Principal Object ID

These values can be obtained from the Microsoft Entra admin center or by using Microsoft Graph PowerShell.

Connect to Exchange Online PowerShell

Sign in to Exchange Online PowerShell using an account with sufficient permissions.

Connect-ExchangeOnline

Register the Service Principal in Exchange Online

Create an Exchange Online service principal reference for the application. This allows Exchange RBAC to recognize the application identity.

New-ServicePrincipal `
  -AppId <ApplicationID> `
  -ObjectId <ServicePrincipalObjectID> `
  -DisplayName "<ApplicationDisplayName>"

Create a Management Scope (Optional)

Management scopes restrict which Exchange objects the application can access. If no scope is created, access applies to all relevant objects in the tenant.

Example of restricting access to a single mailbox:

New-ManagementScope `
  -Name "<ScopeName>" `
  -RecipientRestrictionFilter "PrimarySmtpAddress -eq 'user@domain.com'"

Assign an Application Management Role

Assign an Exchange application role to the service principal. If a management scope was created, attach it to the role assignment.

New-ManagementRoleAssignment `
  -Role "<RoleName>" `
  -App <ServicePrincipalObjectID> `
  -CustomResourceScope "<ScopeName>"

Only roles designed for application access can be assigned to service principals.

Validate the Configuration

Verify that the application has the expected permissions and scope.

Test-ServicePrincipalAuthorization `
  -Identity <ServicePrincipalObjectID> `
  -Resource user@domain.com

Confirm the application can access only the intended resources.

Notes

• Exchange Online RBAC does not restrict Microsoft Entra ID application permissions
• Tenant-wide Graph application permissions bypass RBAC scoping
• Remove unscoped Entra ID permissions to enforce least-privilege access

Reference

Official Microsoft documentation:
https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac

    This article is relevant to the following Microsoft Graph–based configurations in Hudu: 

Setting Up Microsoft Graph to Send Emails Through Hudu 
Microsoft Office 365 Integration 

Was this article helpful?
0 out of 0 found this helpful