May 11, 2025
Blog
Introduction
As cloud adoption accelerates, applications have become key actors in any Microsoft 365 environment — running automations, integrating services, and accessing sensitive data. But with this growth comes risk: many apps are over-permissioned, use weak authentication methods, or access more data than they need.
Traditional models of app trust no longer suffice. In response, Microsoft is introducing new controls that help enforce how apps authenticate and what resources they can reach, aligning with modern Zero Trust principles.
This blog highlights three practical updates that give admins tighter control over app behavior:
Entra application management policies API
Scoping access in SharePoint and OneDrive
Limiting mailbox access for Graph apps
These capabilities are key to building a secure, least-privilege application environment in Microsoft 365.
1. 🔐 Entra application management policies API
Why it matters
Many organizations rely on client secrets and certificates for app authentication — but those can easily become security liabilities. Poor lifecycle management or overly permissive defaults can lead to credential sprawl, shadow IT, and exposure.
To help prevent these risks, Microsoft now enables organizations to define granular policies that govern app authentication methods.
What’s new
You can configure Application Authentication Method Policies using Microsoft Graph (Beta). These policies allow or deny specific credential types, enforce expiration rules, and block insecure practices — both tenant-wide and per-app.
But beyond that, Microsoft offers a robust list of preset restriction types you can apply, making the enforcement much more actionable.
Restriction types table:
Restriction name | Description | Examples |
|---|---|---|
asymmetricKeyLifetime | Enforce a max lifetime range for an asymmetric key (certificate). | Restrict certs to a max of 30 days for apps created after 01/01/2019. |
audiences | Restrict creation/promotion of apps based on signInAudience values. | Prevent new apps from being configured as multi-tenant. |
customPasswordAddition | Restrict custom password secrets on app/SP creation. | Block non-Azure-generated secrets on apps created after 01/01/2015. |
nonDefaultUriAddition | Block identifier URIs that don’t follow default format. | Allow only api://{appId} or api://{tenantId}/{appId} as URIs. |
passwordAddition | Block password secrets completely. | Prevent password use for all new apps created after 01/01/2019. |
passwordLifetime | Enforce max lifetime for password secrets. | Set 30-day maximum validity for secrets issued after 01/01/2015. |
symmetricKeyAddition | Block symmetric key usage. | Prevent all new symmetric key credentials on apps created after 01/01/2019. |
symmetricKeyLifetime | Enforce max lifetime for symmetric keys. | Limit lifetime to 30 days on new symmetric keys. |
trustedCertificateAuthority | Allow certs only from trusted CAs. | Reject any certs issued by non-listed authorities. |
Real-world examples
✅ Force short-lived certs for automation apps: You configure a policy that limits certificate lifetime to 30 days for internal automation tools — reducing exposure in case of theft or leaks.
🚫 Ban multi-tenant registration by default: Your tenant blocks the creation of multi-tenant apps unless explicitly approved — minimizing supply-chain risk.
💡 Pro tip: These controls are especially powerful in multi-dev teams, where app creation and registration are decentralized.
2. 📁 Selected Permissions in SharePoint and OneDrive
Why it matters
Apps that require file access have traditionally been granted tenant-wide permissions like Sites.Read.All or Files.ReadWrite.All. This creates unnecessary risk when most apps only need access to a few resources.
Now, with Selected permissions, admins can explicitly scope an app’s access to only the SharePoint sites or OneDrive drives it needs.
How it works
Assign the app Sites.Selected permission.
Use Graph API or PowerShell to grant site-by-site or drive-level access.
The app cannot access anything else unless explicitly approved.
Examples
🎯 External partner tool limited to one site: A marketing agency app gets access only to Campaigns2024.sharepoint.com/sites/agency. No access to other business units.
📊 Power BI dashboard scoped to one user’s OneDrive: A BI tool reads from the sales director’s folder only, with no visibility into others’ content.
💡 Pro tip: You can automate the assignment of permissions using provisioning scripts as part of CI/CD for app deployment.
3. ✉️ Limiting Application Access to Exchange Mailboxes
Why it matters
By default, granting Graph API access to Mail.Read or Mail.Send gives apps full access to all mailboxes. That’s dangerous — especially for apps that only need access to shared inboxes or system accounts.
Now, Microsoft supports Application Access Policies, which allow you to scope permissions to specific mailboxes or groups.
How it works
Use PowerShell (New-ApplicationAccessPolicy) to define rules.
Apply policies per app, per mailbox, or via groups.
Supports both read and send permissions via Microsoft Graph.
Examples
🛠️ Helpdesk app scoped to support mailboxes only: Prevent the app from reading executive mailboxes by limiting it to support@company.com and techdesk@company.com.
🧾 HR automation tool restricted to onboarding inbox: The system only interacts with hr-onboarding@company.com for automated email workflows.
💡 Pro tip: Combine this with Conditional Access and App Enforced Restrictions for a fully bounded model.
🧠 Wrapping Up
These updates aren’t just helpful — they’re foundational for modern app governance in Microsoft 365. Each one aligns directly with Zero Trust principles:
Never trust by default (especially not apps),
Always verify (what method, what scope),
Limit exposure (to exact need).
Security, identity, and compliance teams should be reviewing existing app permissions today — and making sure they match actual usage. These tools now make that process automatable, auditable, and enforceable.
And if you’re looking to scale these controls across hundreds of apps or users, platforms like Griffin31 can help map, prioritize, and remediate gaps faster than ever.