0 votes

Hi,

I integrated my Application with office365, using the Limilabs Mail.dll IMAP client solution:
https://www.limilabs.com/blog/oauth2-password-grant-office365-exchange-imap-pop3-smtp

Basically, the link above suggests creating an applicationId on azure and giving the related permissions according to the mentioned in the link.

It works, but one customer asked me about a security problem with this solution.

After creating an Application on Azure, by using those public permissions, the ApplicationID can read any mailbox from the organization. Despite using the account credentials (mail + password)+applicationId+Tennant+ Url, the application can read any other mailbox, besides the authenticated account.

This is big trouble because usually, the organization wants to limit the application to one single mailbox access.

Well, is there some feature from Limilabs to solve this problem?

by (400 points)

1 Answer

0 votes

"After creating an Application on Azure, by using those public permissions, the ApplicationID can read any mailbox from the organization."

This is simply not true.

Application needs user and password to request access to the specific mailbox.

It can not read all mailboxes.

by (301k points)
edited by
...