Restricting App Access using RBAC for Applications (Graph API)
By default, granting application permissions gives your Microsoft Entra application access to all mailboxes within your tenant. To follow the principle of least privilege, Microsoft recommends using Exchange Online Role-Based Access Control (RBAC) for Applications.
This method restricts the application's access strictly to users within a designated Mail-Enabled Security Group, preventing the connector from interacting with unauthorized mailboxes.
Note: All commands in this guide must be executed in PowerShell with Administrator privileges. Ensure you have the necessary Exchange Online administrative rights before proceeding.
Pre-requirements
Before applying these advanced restrictions, ensure you have already registered your application and configured the base Microsoft Graph API permissions.
To review the base setup process, refer to the Configuring Microsoft 365 (Graph API) article.
Step 1. Connect to Exchange Online
First, import the required module and authenticate with your Microsoft 365 tenant:
Import-Module ExchangeOnlineManagementConnect-ExchangeOnlineStep 2. Create a Service Principal
Link your existing Microsoft Entra application to Exchange Online by creating a Service Principal:
New-ServicePrincipal ` -AppId "your-app-id" ` -ServiceId "your-enterprise-app-object-id" ` -DisplayName "Your App Name"Warning: Object ID vs. App ID
You must use the Object ID from your Enterprise Application, not the Application (Client) ID.
You can find this in the Azure Portal by navigating to Enterprise Applications > [Your App Name] > Overview.
Step 3. Create a Mail-Enabled Security Group
Warning: Group Type Restriction
The group must explicitly be a Mail-Enabled Security Group. Standard Microsoft 365 or Entra ID groups are not supported for this policy.
Create a Mail-Enabled Security Group:
New-DistributionGroup -Name "Sendent RBAC Group" -Alias "sendentrbacgroup" -Type SecurityStep 4. Add Users to the Group
Add the specific users whose data will be synchronized by the connector:
$users = "user1@domain.com", "user2@domain.com"foreach ($user in $users) { Add-DistributionGroupMember -Identity "sendentrbacgroup@domain.onmicrosoft.com" -Member $user}Step 5. Assign RBAC Roles
You must assign specific RBAC roles to your Service Principal, scoping them exclusively to the group you created:
Note: To restrict data types, simply do not add unnecessary permissions to your App Registration in Entra ID.
For Calendars:
New-ManagementRoleAssignment ` -App "your-enterprise-app-object-id" ` -Role "Application Calendars.ReadWrite" ` -RecipientGroupScope "sendentrbacgroup@domain.onmicrosoft.com"For Contacts:
New-ManagementRoleAssignment ` -App "your-enterprise-app-object-id" ` -Role "Application Contacts.ReadWrite" ` -RecipientGroupScope "sendentrbacgroup@domain.onmicrosoft.com"Step 6. Verify and Test the Policy
To confirm the roles were assigned successfully, retrieve them using your Enterprise App Object ID:
Get-ManagementRoleAssignment | Where-Object { $_.App -eq "your-enterprise-app-object-id" } | Format-List Role, CustomResourceScopeImportant Considerations & Troubleshooting
Propagation Delay: After assigning roles, you must wait 10 to 30 minutes for the changes to fully propagate and take effect.
Visualizing the Group: You can visually confirm the group's members by navigating to the Azure Portal: Entra ID > Groups > [Search for your group] > Members.
Additional Management Commands
Here are a few supplementary PowerShell commands to help you manage your group and roles over time:
Check who is in the group:
Get-DistributionGroupMember -Identity "sendentrbacgroup@domain.onmicrosoft.com"Remove a user from the group:
Remove-DistributionGroupMember -Identity "sendentrbacgroup@domain.onmicrosoft.com" -Member "user@domain.com" -Confirm:$falseDelete the entire group:
Remove-DistributionGroup -Identity "sendentrbacgroup@domain.onmicrosoft.com" -Confirm:$falseFind all assigned roles by name and role:
Get-ManagementRoleAssignment | Where-Object { $_.App -eq "your-enterprise-app-object-id" } | Format-List Name, RoleRemove a specific role assignment:
Remove-ManagementRoleAssignment -Identity "Role Assignment Name here" -Confirm:$falseNote: Deleting and Recreating Groups
If you need to delete a group and create a new one, always remove the associated role assignments before deleting the group. If you delete the group without removing the role assignments first, the assignments will remain in Exchange Online without a scope, granting broad access to all mailboxes. Use the Remove a specific role assignment command from the Additional Management Commands section before deleting the group.