Currently, daemon applications that use a service account with Basic authentication can be restricted to specific mailboxes through mailbox delegation or custom roles in exchange online. When basic auth deprecates for EWS, the changeover to Oauth is fairly trivial, but the problem is that a daemon application that can accept no interaction (app delegation) will have access to every mailbox in the org (full_access_as_app).
For graph, application access policies remedy this, but I am not finding any way to scope EWS managed API applications using Oauth with app delegation to only be able to access specific mailboxes.
Is there planned activity to remedy this? (or am I just unaware of how to achieve this with currently available methods)
Currently, daemon applications that use a service account with Basic authentication can be restricted to specific mailboxes through mailbox delegation or custom roles in exchange online. When basic auth deprecates for EWS, the changeover to Oauth is fairly trivial, but the problem is that a daemon application that can accept no interaction (app delegation) will have access to every mailbox in the org (full_access_as_app).
For graph, application access policies remedy this, but I am not finding any way to scope EWS managed API applications using Oauth with app delegation to only be able to access specific mailboxes.
Is there planned activity to remedy this? (or am I just unaware of how to achieve this with currently available methods)