Menu
I have an app that queries Microsoft Graph, and it must run as a service/daemon. This app needs to access one specific shared mailbox. The app must not have access to the entire tenant (which I believe is the behavior with 'Grant Admin Consent'). How would I go about granting permission to a service/daemon to one specific shared mailbox?
I have seen this documentation:
https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access
https://learn.microsoft.com/en-us/powershell/module/exchange/organization/new-applicationaccesspolicy?view=exchange-ps
I have tried the cmdlet "New-ApplicationAccessPolicy" but the target of the -PolicyGroupId is the shared mailbox, which returns an error because it's not a security principal.
598
asked Oct 23 '25 15:10
Shared mailboxes are not security principals. This limitation for PolicyGroupId is called out in the documentation @ New-ApplicationAccessPolicy
To limit access to a shared mailbox, you should create a new SG, include the shared mailbox as a member and then use the SG to create the AppAccessPolicy.
99
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
