Integrating Microsoft 365 Mail Securely with Splunk SOAR Using Exchange Online RBAC
Do you want to integrate Microsoft 365 email into automation workflows without granting broad permissions to your Azure Entra app?
Many organizations are now moving toward the least privileged models, where broad Graph API permissions like Mail.ReadWrite are considered too risky to assign at the tenant level.
This blog outlines how to implement Exchange RBAC while maintaining a least-privileged security model.
Solution: Exchange Online Application RBAC
Instead of assigning broad permissions at the Azure app registration level, Microsoft now allows fine-grained mailbox-level permissions via Exchange Online Role Assignments.
This approach allows:
- Assigning permissions like Mail.ReadWrite and Mail.Send As only to specific mailboxes
- Avoiding global Graph permission grants in Entra
- Maintaining strict compliance with least privileged principles
Integrate Microsoft 365 with Splunk SOAR via RBAC
Create an App under O365
- Sign in to https://entra.microsoft.com
- Go to Applications (Enterprise Applications), then create a new application.
Note: No permissions are required on the Azure Entra application for this procedure.
Setup Exchange Online Application Access Policy (RBAC)
- Connect to the Microsoft Exchange using PowerShell
$ Connect-ExchangeOnline -UserPrincipalName <username@domain.com> -LoadCmdletHel
- Verify the connection with the Microsoft Exchange
$ Get-ConnectionInformation
- Configure NewServicePrincipal
$ New-ServicePrincipal -AppId <App ID> -ObjectId <ObjectID> -DisplayName "splunk soar"
- Create a resource management group
$ New-ManagementScope -Name "LimitedMailboxScope" -RecipientRestrictionFilter "PrimarySmtpAddress -eq '<UserEmail@domain.com>'"$ Get-ManagementScope
- Now configure the role assignment
$ New-ManagementRoleAssignment -Name MailReadWriteSOARGraph -Role "Application Mail.ReadWrite" -App <App ID> -CustomResourceScope "LimitedMailboxScope"$ New-ManagementRoleAssignment -Name MailSendSOARGraph -Role "Application Mail.Send" -App <App ID> -CustomResourceScope "LimitedMailboxScope"
- No permission is assigned to the app registration after RBAC configuration.
Setting up Splunk SOAR Asset
- Install the following app in Splunk SOAR instanceApp Name: MS Graph for Office 365
Splunk Base Link: https://splunkbase.splunk.com/app/5824 - Next, configure a new asset in the app
Enter the following details from the Microsoft application that you have created previously- Tenant ID
- Application ID
- Application Secret
- Select “Admin Consent Already Provided”
If the ‘Admin Consent Already Provided’ is checked, this will skip the interactive flow and use the client credentials for generating tokens. If unchecked, the app will follow the User workflow. Refer to this link to know more about user workflows.
Note: The test connectivity for this asset configuration will fail, because the test connectivity requires user list access for the application. So kindly Ignore and go the next steps.
What happens if not Admin consent provided and why to provide
Testing and Executing Actions in Splunk SOAR
For testing, executing send email and get email actions from the sample container, now we were able to perform actions on mailboxes without assigning any permission on Azure Entra application configuration. Below are the action results.
Polling for Email
Building secure integrations with Microsoft 365 mail—especially when using tools like Splunk SOAR—can feel tricky when you’re trying to avoid giving your app too many permissions.
Rather than assigning broad Graph API permissions that provide access to all mailboxes, you can use Exchange Online Application RBAC to give your app just the right level of access—and only to the mailboxes it actually needs. It’s a cleaner, safer, and more controlled approach that ensures adherence to organizational security policies.
For more information, explore our Splunk SOAR services.
Reference:
