FAQ: Configuring Application Permissions Restriction in Microsoft Exchange Online

These steps are OPTIONAL.

Some Microsoft administrators have expressed a desire to limit the mailboxes that CloudExtend Autopilot has access to.

Microsoft empowers administrators to finely control application permissions for Exchange Online mailboxes, allowing for a more secure environment. This guide will delve into the step-by-step process of implementing a policy restricting application access to specific mailboxes. Following these steps ensures that applications, such as CloudExtend Outlook Autopilot, can only access data for users within the defined policy.

Step 1: Creating a Security Group

Reference: Manage mail-enabled security groups in Exchange Online

Log in to Admin Exchange Online.
Visit https://admin.exchange.microsoft.com and log in using your administrator credentials.
Create a New Mail-Enabled Security Group.
- Navigate to the group management section
- Create a new mail-enabled security group
- Assign a user-friendly name, like CloudExtend Outlook Users (which also serves as the group ID).
- Assign a group email for seamless communication within the group.
- Add owners to the group for future user management.
Add users to grant access to CloudExtend Autopilot.

Step 2: Connecting to Exchange Online using PowerShell

Reference: Connect to Exchange Online PowerShell

Open PowerShell as Administrator.
- Launch PowerShell with administrative privileges.
- Import ExchangeOnlineManagement Module:
- Execute the command:
  Import-Module ExchangeOnlineManagement
Connect to Exchange Online
- Use the command by replacing the UserPrincipalName
  Connect-ExchangeOnline -UserPrincipalName admin@cloudextend.dev
- A login window may pop up; enter your Microsoft account credentials.

Step 3: Creating the Restriction Policy

Reference: New-ApplicationAccessPolicy

Create a New Policy.
- Use the provided App ID (f377cb8a-8902-42a0-8568-3b3bf88d7c0e) and the Security Group ID.
- Set AccessRight to RestrictAccess.

New-ApplicationAccessPolicy -AppId "f377cb8a-8902-42a0-8568-3b3bf88d7c0e" -PolicyScopeGroupId "Cloudextend Outlook Users" -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group CloudExtend Outlook Users."

Step 4: Testing the Policy

Use the following command to check permissions for a given user:
Test-ApplicationAccessPolicy -Identity user@cloudextend.dev -AppId f377cb8a-8902-42a0-8568-3b3bf88d7c0e

Sample output when access is granted

AppId : f377cb8a-8902-42a0-8568-3b3bf88d7c0e

Mailbox : a5e26404-f30c-447b-ac11-e918851e179a

MailboxId : a5e26404-f30c-447b-ac11-e918851e179a

MailboxSid : S-1-5-21-442789921-1734088458-2035306496-28762352

AccessCheckResult : Granted

Sample output when access is denied

AppId : f377cb8a-8902-42a0-8568-3b3bf88d7c0e

Mailbox : a5e26404-f30c-447b-ac11-e918851e179a

MailboxId : a5e26404-f30c-447b-ac11-e918851e179a

MailboxSid : S-1-5-21-442789921-1734088458-2035306496-28762352

AccessCheckResult : Denied

Disclaimer:

Please be aware that changes to these settings may take effect after an hour to propagate throughout your Microsoft Exchange Online environment.

We recommend reaching out to Microsoft Support for assistance with any issues encountered while connecting to Exchange Online.
Before assigning a CloudExtend license to new users, ensure that you first add them to the designated security group.

Admin: Understand CloudExtend Outlook Client, Server, and NetSuite Prerequisites

Admin Portal: Grant Microsoft API Access

Why We Built It: CloudExtend Outlook for NetSuite NextGen

Admin: Configure Shared or Delegate Mailboxes CloudExtend Outlook for NetSuite NextGen

Email Sync: Using Autopilot in Shared or Delegate Mailboxes for CloudExtend Outlook NextGen