-->

Monday, August 26, 2024

M365 - Exchange.ManageAsApp Is Now Needed Along With full_access_as_app Permissions

I have a customer who's a CSP (Cloud Solution Provider) that uses a partner center web app to provision M365 tenants...5 million tenants to be exact (that's not a typo). A couple months ago their partner center connection broke.

In the past, they only had to add the "full_access_as_app" permisssion for it to work. They did some tinkering and found that after adding the "Exchange.ManageAsApp" perms, it started working, but they have no idea why.

This is kind of a PSA, because from what I can tell Microsoft didn't make any sort of announcement.

So here's what changed on the Exchange Online side:

MS updated the permissions model for Exchange Online PowerShell, which was a significant change in the permissions required for accessing Exchange Online. Previously, the "full_access_as_app" permission was sufficient for certain operations however, due to security enhancements and the need for more granular control, the "Exchange.ManageAsApp" permission is now required for app-only authentication scenarios.

The "Exchange.ManageAsApp" permission essentially allows an application to perform actions on behalf of a user, providing a higher level of access and control. This change aims to improve security by ensuring that applications have the appropriate permissions to perform their tasks without over-privileging.

https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps

And here's a breakdown of the perms:

Why we need the permission:

full_access_as_app:

This permission grants the application full access to all mailboxes in the organization. It’s a broad permission that allows the app to perform any action that a user with full mailbox access can do.

Exchange.ManageAsApp:

This permission is more specific and allows the application to perform actions on behalf of a user. It acts as an impersonation permission, enabling the app to manage certain aspects of Exchange Online without needing full access to all resources.

Key Differences:

Granularity: Exchange.ManageAsApp provides more granular control, allowing administrators to limit what the application can do, enhancing security.

Security: By using Exchange.ManageAsApp, you can reduce the risk of over-permissioning, which is a common security concern with full_access_as_app.

Role-Based Access Control (RBAC): Exchange.ManageAsApp aligns with RBAC principles, allowing for more flexible and secure delegation of permissions.

These permissions are designed to provide a balance between functionality and security, ensuring that applications have the necessary access without compromising the overall security of the Exchange environment.

Hopefully if you or your partner/customers have this issue, adding the extra Exchange perms will fix that!

No comments:

Post a Comment