Exchange Online Mailbox Creation and Security

Updated 23 August 2022 

Microsoft are progressively removing basic authentication for various protocols.

Deprecation of Basic authentication in Exchange Online | Microsoft Docs  

 

BNS is implementing the Microsoft Graph API into its products to access mailboxes in Exchange Online.

 

msXfax supports the Graph API to access Exchange online resources.   IMAPSSL basic authentication is still used for on-premises Exchange which is optional for freeform addressing.    

 

msXsms version 2 will support the GRAPH API to access resources in Microsoft Exchange Online.  

 

Additional information for administrators - connect to Exchange online powershell using multi-factor authentication

 

https://docs.microsoft.com/en-us/powershell/exchange/mfa-connect-to-exchange-online-powershell?view=exchange-ps

 

This documentation assumes that you are using Powershell V2
 

Creation of a mailbox in Office 365 Exchange Online

Mailbox creation is documented in the installers guides for all BNS products.

 

Email security access controls for BNS applications

BNS software is implemented as windows services running on Windows Server VMs in your enterprise.  Windows services call the Microsoft Graph API using their own identity and not on behalf of a user. ie: They run on a server without the presence of a signed-in user.

 

BNS apps make use of OAuth 2.0 client credentials grant flow to authenticate and are configured with application permissions, which enable such apps to access all mailboxes in a organization on Exchange Online. For example, the Mail.Read application permission allows apps to read mail in all mailboxes without a signed-in user.

 

Microsoft published guidelines to restrict apps to specific mailboxeshttps://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access 
 

Step 1 - Create a mail enabled security group 

 
 
 
 
Add your fax server mailbox to the group.  Below shows 2 fax server mailboxes which the application will be permitted to read and write to. 
 
 
 

Step 2 - Register the BNS Application in Azure 

 

 

 
 

Step 3 - Create a client secret for the app

This is required as part of the Microsoft Authentication Framework for an application to access resources in Office 365. 

 

  

 

 

 

Step 4 - Add API Permissions

 

 

 

Step 5 - Create an access policy in Exchange Online

If you need help to connect to Exchange Online refer to this link for more information Connect to Exchange Online PowerShell | Microsoft Docs

 

Create an application access policy

 

For more information refer to this article Limiting application permissions to specific Exchange Online mailboxes - Microsoft Graph | Microsoft Docs

 

Run the following command, replacing the AppId, PolicyScopeGroupId, and Description arguments.

AppId is the application (Client) ID from Step 2

PolicyScopeGroupId is the email address of the mail enabled security group.

xxxxxxxxxxxxxx is the name of your security group

 

Command

 

New-ApplicationAccessPolicy -AppId  AppId  -PolicyScopeGroupId PolicyScopeGroupId -AccessRight RestrictAccess -Description "Restrict this app to members of security group xxxxxxxxxxxxxxx"

 

 

 

Test the access control using the Test-ApplicationAccessPolicy command.   
 

Microsoft documentation https://docs.microsoft.com/en-us/powershell/module/exchange/test-applicationaccesspolicy?view=exchange-ps

 

Note: Changes to application access policies can take up to 30 minutes to take effect in Microsoft Graph REST API calls.

 

 

Test-ApplicationAccessPolicy -Identity EmailaddressToTest -AppId AppIDfromStep2

 

How to list access policies 

get-ApplicationAccessPolicy | format-list identity,description,scopename,accessright,appid

 

Disconnect from Exchange online using this command

 

Disconnect-ExchangeOnline

 

 

Create your own Knowledge Base