Application Access Policy for Approval Mailboxes (Azure AD / Exchange Online)

9 min

activate supports processing approval actions via a dedicated exchange mailbox in microsoft exchange online environments, this requires granting application level access to the mailbox this document explains how to securely scope that access using application access policies, ensuring the activate approval integration follows the principle of least privilege the guidance in this document applies specifically to exchange online (office 365) deployments and is intended to complement the email approvals configuration documentation purpose and scope this document explains why application level permissions are required for email approvals how application access policies work in exchange online how to restrict activate mailbox access to a single, dedicated approval mailbox it does not describe how email approvals are processed internally or how to configure approval logic within activate those topics are covered in the email approvals configuration guide why application access policies are required when using exchange online with app only authentication, activate connects to exchange web services (ews) using application level permissions by default, these permissions apply tenant wide and would allow access to all mailboxes application access policies provide a microsoft supported mechanism to restrict an application so it can access only specific mailboxes this is a critical security control and is strongly recommended for all customer environments without an application access policy exchange application permissions apply to every mailbox in the tenant the integration does not meet least privilege expectations with an application access policy access is limited to explicitly scoped mailboxes customer security and audit requirements can be satisfied how application access policies work an application access policy is enforced by exchange online and links an entra id application (identified by its appid) a mailbox scope, defined using a mail enabled security group exchange evaluates the policy on every mailbox request if the target mailbox is not within the defined scope, the request is denied recommended architecture for activate activate recommends the following design for email approvals in exchange online a dedicated mailbox used only for approval processing a dedicated entra id application used only for exchange access a mail enabled security group containing only the approval mailbox an application access policy that restricts the application to that group this approach provides clear separation of responsibilities, strong security boundaries, and simple auditing mailbox access scope activate requires access to a single approval mailbox in order to read incoming approval messages and manage them after processing at a high level, within the scoped mailbox, activate may read messages from the inbox mark messages as processed and remove them from the inbox send limited reply messages in error scenarios activate does not require access to any other mailboxes in the tenant required permissions exchange online (office 365) for exchange online using ews with app only authentication, activate requires the exchange application permission full access as app this permission is broad by default and must always be combined with an application access policy to restrict access to the approval mailbox only on premises exchange for on premises exchange environments, mailbox access is typically granted using a service account the account must have full access to the approval mailbox the mailbox should be dedicated to approval processing although application access policies do not apply to on premises exchange, the same least privilege principles should be followed high level configuration steps create or identify a dedicated approval mailbox create a mail enabled security group and add the approval mailbox as a member register a dedicated entra id application for exchange access grant the required exchange application permission and approve admin consent create an application access policy that scopes the application to the security group configure activate to use the corresponding entra id connection after configuration, allow time for policy propagation and validate that the integration functions correctly operational considerations changes to application access policies may take time to propagate updating group membership changes mailbox access scope the approval mailbox must not be used for manual email processing application credentials must be stored securely and rotated according to customer policy summary application access policies are a critical control when using exchange online application permissions with activate email approvals by combining app only access with a tightly scoped application access policy, customers can ensure activate has access only to the approval mailbox it requires, while maintaining strong security and compliance boundaries