How to create a o365 admin role for authenticating mailboxes with timetoreply and limit which mailboxes timetoreply can get data from

Use this guide to create an o365 admin user that will have the ability to bulk-add mailboxes and limit which mailboxes timetoreply can get data from using a mail-enabled security group.

Step 1: Create a user (or use an existing user) that will be used as the authenticate mailboxes with timetoreply.

  • Log into your o365 admin portal, click on Users > Active User and add a new user.
  • Once the user has been created, log into your Azure Active Directory, click on All Services and then choose Azure AD roles and administrators.
  • Search for the “Privileged role administrator” role and assign it to the user that you want to use to authenticate.

Step 2: Limit which mailboxes the timetoreply application is allowed to ingest data from.

Note: timetoreply only requests read access scopes and requests scopes to view the email header information only, timetoreply does not request access or have access to the body or attachments of any email.

  • Log into your o365 admin portal and click on “Groups” > “Active”
  • Choose “Mail-enabled security” from the options and create a new Mail-enabled security group.blank
  • Once created, click on the Mail-enabled security group that you have just created and click on “Members”.
  • Choose the members that should be in the security group, these are the mailboxes that you want to allow timetoreply to get data from.

Step 3: Create an ApplicateAccessPolicy to restrict timetoreply to only be able to access data from the mailboxes in your Mail-enabled security group. More info here: https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access

In powershell, run the following command, replacing the arguments for AppIdPolicyScopeGroupId, and Description where AppID needs to be: ca7f3ddb-4052-4e29-a3e1-9bef37e1bf4f and the PolicyScopeGroupId will be the name of the mail-enabled security group you created above (this will be in the form of an email address)

New-ApplicationAccessPolicy -AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b -PolicyScopeGroupId EvenUsers@contoso.com -AccessRight RestrictAccess

Once created you can test the policy and whether it is restricting the members correctly by running the following command:

Test the newly created application access policy.
Run the following command, replacing the arguments for Identity and AppId.

Test-ApplicationAccessPolicy -Identity user1@contoso.com -AppId e7e4dbfc-046-4074-9b3b-2ae8f144f59b