Setup: Microsoft 365 tentant. One application wants to send emails via Graph API.
Problem: Assigning Mail.Send Graph permission is very dangerous if is not restricted to one user. By default that application can send on behalf of every user in organization.
Solution: Before granting the consent as GA for the permission do the following to restrict the send as to only one account.
Step 1. Create a shared mailbox that will be used as Send As. This will not require a license and reply messages can be viewed by multiple persons.
Step 2. Create a mail enabled security group that will have only one member -> the shared mailbox created above.
Step 3. Login to Azure Portal and take note of the Application (client) ID of the application.
Step 4. Login to Exchange Online and run the following powershell
Connect-ExchangeOnline -UserPrincipalName your_upn@your_domain.com
New-ApplicationAccessPolicy -AppId <App ID from previous step> -PolicyScopeGroupId <email of security group> -AccessRight RestrictAccess -Description "Restrict SendAs to members of this group <name of the group>"
Step 5. Now the GA can give the consent. The application can only send email as the shared mailbox.