When using Modern Authentication for AskCody Exchange integration it is relevant to consider scoping options in Exchange Web Services.
AskCody is built as a Microsoft EWS Application, meaning that the authentication options are both Basic Authentication and Modern Authentication (OAuth 2.0). Announcements from Microsoft regarding the shift towards Modern authentication and plans for Retirement of basic authentication has further set a focus on the scoping options using Modern Authentication. Preveiously only Basic authentication offered a way to scope access to certain mailboxes. Now Microsoft has added support for Application access policies for EWS meaning that it is now possible to set the Access Policies for the AskCody Modern Authentication application.
How do I configure Application Access Policies?
Configuring Application Access Policy requires a connection to exchange online via PowerShell.
The AskCody Modern Auth application will appear in under Enterprise applications in the Azure portal as AskCody EWS . In the application list the Application ID will appear in the list.
The Application ID (AppID) for the AskCody Application (Modern authentication) is needed for setting the ApplicationAccessPolicy. By doing this it is important to make sure what resources is needed for the scope ie. what mailboxes does AskCody EWS application need to access.
Seen below is the standard powershell command for setting a new ApplicationAccessPolicy for a given Application.
New-ApplicationAccessPolicy -AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b -PolicyScopeGroupId EvenUsers@contoso.com -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group EvenUsers."
To learn more on how to set up ApplicationAccessPolicy see the full documentation and guide from microsoft.
Where can i learn more?
Microsoft released a blogpost about the decision to provide this functionality and their take on EWS in general.