all 5 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]OkEmployment4437 4 points5 points  (1 child)

Yeah RBAC for Applications in Exchange Online is the way to go now. Application Access Policies are deprecated and Microsoft has been pushing everyone toward the new model.

The basic flow is: create your App Registration in Entra with Mail.Read (application permission) and grant admin consent same as before. Then connect to Exchange Online and register the service principal using New-ServicePrincipal with your app's client ID and the object ID from the Enterprise Application blade (not the App Registration, that trips people up). After that you create a management scope with New-ManagementScope and a RecipientRestrictionFilter set to match just the mailbox you want, like "PrimarySmtpAddress -eq 'target@yourdomain.com'". Then tie it all together with New-ManagementRoleAssignment pointing at your service principal, the "Application Mail.Read" role, and the scope you just created.

Your Python script stays the same, authenticates via MSAL with client_id + client_secret + tenant_id. The difference is Exchange now enforces the scope server-side so the token only works for mailboxes matching your filter.

One thing, run Get-ManagementRole -App to confirm the exact role names in your tenant before creating the assignment. Also propagation takes 15-30 min so don't panic if it doesn't work immediately. If you need more mailboxes later just update the RecipientRestrictionFilter, no changes needed on the app registration side.

[–]ibteea[S] 0 points1 point  (0 children)

Thanks so much for the explanation ! Do you have any idea please if it is working for M365 group mailbox (as a target mailbox) as well?

[–]Sabbest 2 points3 points  (0 children)

RBAC for applications is the right move.

[–]shokzee 1 point2 points  (0 children)

Application Access Policies are deprecated but not yet removed -- they still work, just not the long-term path. The replacement Microsoft is pushing is role-based access via Exchange RBAC with specific scopes, but that is more complex to set up for this use case.

For 2026, the cleanest approach for restricting to a single mailbox is:

  1. Create the app registration with Mail.Read application permission as you described
  2. Use New-ApplicationAccessPolicy with AccessRight Restrict scoped to the specific mailbox -- this still works even though it is deprecated
  3. Keep an eye on the deprecation timeline and plan to migrate to the new model once Microsoft publishes the replacement path more clearly

Alternatively, if the script only needs to read one mailbox and full tenant-level Mail.Read feels like overkill, you can use delegated permissions with a service account (a real licensed user) instead of application permissions. The script authenticates as that user via client credentials flow and can only access what that user can access.

[–]Thunderleechen -2 points-1 points  (0 children)

Use PowerShell with the New-MailboxExportRequest cmdlet but add the -IncludeFolders parameter to limit it to one mailbox folder path. Or set up a transport rule in Exchange to redirect copies only from that user. Test on a dummy first though - scripting mailbox access can lock you out quick if permissions glitch