...
The permissions configured during the Azure App Registration for ResourceXpress will grant Read & Write permissions to all Resource Mailboxes in the tenant.
To further restrict access to a specific sub-set subset of mailboxes the below steps will be required.
Create a Mail-Enabled Security Group
...
Configure a mail-enabled security group in the Exchange Admin Center.
Use Microsoft's guide for “Manage mail-enabled security groups”.
Add all resource mailboxes that will be used in ResourceXpress as members of
...
this security group.
Create an ApplicationAccessPolicy (PowerShell)
The following step requires the Azure App Registration Client ID created here, see our guide on how to create this here,https://resourcexpress.atlassian.net/wiki/spaces/RSG/pages/1349091544/Graph+API+OAuth+2.0+Configuration+for+Office+365#Getting-the-Client-%26-Tenant-ID%E2%80%99s.
Connect to Exchange Online in PowerShell.
...
See our guide which covers the initial connection process here, https://resourcexpress.atlassian.net/wiki/pages/resumedraft.action?draftId=106233906.
Copy and paste the below command. Replace <app-id> with the App Registration Client ID and replace <security group email> with the SMTP address of the mail-enabled security group created in the first step.
| Code Block | ||||
|---|---|---|---|---|
| ||||
New-ApplicationAccessPolicy -AppId <app-id> -PolicyScopeGroupId <security group email> -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group <security group name>." |
For further information and for details on testing this policy please see this linkMicrosoft guide for “Scoping application permissions to specific Exchange Online mailboxes”.