Restrict the Scope of API Permissions.
- Simon Barlow
- Elliot Dooleysmith
- Ella Morrissey
- Anantha Kumar
The below configuration is only applicable when configuring ResourceXpress for a Microsoft Graph integration.
The permissions configured during the Azure App Registration for ResourceXpress will grant Read & Write permissions to all Mailboxes in the tenant.
To further restrict access to a specific subset of mailboxes the below steps will be required.
Create a Mail-Enabled Security Group
Configure a mail-enabled security group in the Exchange Admin Center.
Use Microsoft's guide for “Manage mail-enabled security groups”.
Add all resource mailboxes that will be used in ResourceXpress as members of this security group.
Create an ApplicationAccessPolicy (PowerShell)
The following step requires the Azure App Registration Client ID, see our guide on how to create this here,Graph API & OAuth 2.0 Configuration for Office 365 | Getting the Client & Tenant ID’s.
Connect to Exchange Online in PowerShell. See our guide which covers the initial connection process here, Microsoft Office 365.
Copy and paste the below command. Replace <app-id> with the App Registration Client ID and replace <security group email> with the SMTP address of the mail-enabled security group created in the first step.
New-ApplicationAccessPolicy -AppId <app-id> -PolicyScopeGroupId <security group email> -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group <security group name>."For further information and for details on testing this policy please see Microsoft guide for “Scoping application permissions to specific Exchange Online mailboxes”.
Related content
- style