Understanding and mitigating Risks Associated with SaaS Solutions Accessing

Exchange Online with APIs Using Microsoft Entra ID Applications

· M365

Many Software as a Service (SaaS) solutions require access to Exchange Online to provide their services effectively.

These solutions typically use a Microsoft Entra ID Application to request permissions to access user mailboxes, calendars, contacts :

broken image

To manage and control these permissions, Microsoft provides two types of API permissions: delegated permissions and application permissions.

Delegated Permissions

Delegated permissions are granted to applications to act on behalf of a user. These permissions are limited to the resources (mailboxes, calendars, contacts) that the user has access to.

The key delegated permissions in Microsoft Graph delegated permissions for Exchange Online are:

  • Mail.Read: Read user’s mail.
  • Mail.ReadBasic: Read user’s basic mail information.
  • Mail.ReadWrite: Read and write user’s mail.
  • Mail.Send: Send mail as a user.
  • MailboxSettings.Read: Read user’s mailbox settings.
  • MailboxSettings.ReadWrite: Read and write user’s mailbox settings.
  • Calendars.Read: Read user’s calendar events.
  • Calendars.ReadWrite: Read and write user’s calendar events.
  • Contacts.Read: Read user’s contacts.
  • Contacts.ReadWrite: Read and write user’s contacts.

Here is how to find them when you want to add these permissions to an MS Entra ID application :

broken image
broken image

These delegated permissions ensure that the SaaS solution can only access Exchange Online data owned by the user who is utilizing the solution.

Thus, the risk associated with the solution accessing Exchange Online is limited to the individual users “Exchange Online Objects”.

If the solution is compromised, then only Exchange Online data owned its users will get compromised.

For Office 365 Exchange Online, the delegated permission available is:

  • EWS.AccessAsUser.All: Access mailboxes as the signed-in user via Exchange Web Services

Here is how to find them when you want to add these permissions to an MS Entra ID application :

broken image
broken image

There is a crucial consideration with the EWS.AccessAsUser.All permission. If an administrator uses the SaaS solution, the application will possess an admin token, granting it access to Exchange Online with administrative privileges.

This necessitates careful management of who is using the solution to mitigate potential risks.

Application Permissions

Application permissions grant an application full access to all mailboxes, calendars, and contacts in Exchange Online, regardless of the user context.

The key application permissions in Microsoft Graph for Exchange Online are:

  • Mail.Read: Read all mail.
  • Mail.ReadBasic: Read basic mail information.
  • Mail.ReadBasic.All: Read basic mail information of all users.
  • Mail.ReadWrite: Read and write all mail.
  • Mail.Send: Send mail as any user.
  • MailboxSettings.Read: Read all mailbox settings.
  • MailboxSettings.ReadWrite: Read and write all mailbox settings.
  • Calendars.Read: Read all calendar events.
  • Calendars.ReadWrite: Read and write all calendar events.
  • Contacts.Read: Read all contacts.
  • Contacts.ReadWrite: Read and write all contacts.

Here is how to find them when you want to add these permissions to an MS Entra ID application :

broken image
broken image

For Office 365 Exchange Online, the application permission available is:

  • full_access_as_ap: Full access to all Exchange Online data.

Here is how to find them when you want to add these permissions to an MS Entra ID application :

broken image
broken image

The use of application permissions presents a higher risk because the application will have unrestricted access to all Exchange Online data of all users.

To mitigate this risk, administrators can create “ApplicationAccessPolicy” to restrict the mailboxes, calendars and contacts accessible by the Microsoft Entra ID application/Saas solution.

Here is an example of how to create such a policy to restrict an app to members of distribution group EvenUsers :

New-ApplicationAccessPolicy -AppId e7e4dbfc-046f-4074–9b3b-2ae8f144f59b -PolicyScopeGroupId EvenUsers@contoso.com -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group EvenUsers.

You can test the policy by running the following command, replacing the arguments for Identity and AppId:

Test-ApplicationAccessPolicy -Identity user1@contoso.com -AppId e7e4dbfc-046–4074–9b3b-2ae8f144f59bThe output of this command will indicate whether the app has access to User1’s mailbox, helping administrators verify the effectiveness of the policy.

Changes to application access policies can take longer than 1 hour to take effect in Microsoft Graph REST API calls, even when Test-ApplicationAccessPolicy shows positive results.

 

Understanding and managing API permissions is crucial for securely integrating SaaS solutions with Exchange Online. By leveraging delegated permissions and carefully managing application permissions, organizations can mitigate risks associated with data access and ensure that the SaaS solutions operate within the intended security boundaries. Creating and testing ApplicationAccessPolicies further enhances security by restricting access to sensitive data.