All Collections
Outlook for NetSuite NextGen
FAQ
FAQ: Configuring Application Permissions Restriction in Microsoft Exchange Online
FAQ: Configuring Application Permissions Restriction in Microsoft Exchange Online

Outlook NextGen | This is the step-by-step process of Grant Graph API to Selected Users Only

Updated over a week ago

These steps are OPTIONAL.

Some Microsoft administrators have expressed a desire to limit application access to a specific set of users.

Microsoft empowers administrators to finely control application permissions for Exchange Online mailboxes, allowing for a more secure environment. This guide will delve into the step-by-step process of implementing a policy restricting application access to specific mailboxes. Following these steps ensures that applications, such as CloudExtend Outlook Autopilot, can only access data for users within the defined policy.

Step 1: Creating a Security Group

  • Log in to Admin Exchange Online.

  • Visit https://admin.exchange.microsoft.com and log in using your administrator credentials.

    Create a New Mail-Enabled Security Group

    1. Navigate to the group management section.

    2. Create a new mail-enabled security group.

    3. Assign a user-friendly name, like CloudExtend Outlook Users (which also serves as the group ID).

    4. Assign a group email for seamless communication within the group.

    5. Add owners to the group for future user management.

    6. Add users to grant access to CloudExtend Autopilot.

Step 2: Connecting to Exchange Online using PowerShell

  • Open PowerShell as Administrator.

    • Launch PowerShell with administrative privileges.

    • Import ExchangeOnlineManagement Module:

    • Execute the command:

      Import-Module ExchangeOnlineManagement

  • Connect to Exchange Online

    • Use the command by replacing the UserPrincipalName
      Connect-ExchangeOnline -UserPrincipalName admin@cloudextend.dev

    • A login window may pop up; enter your Microsoft account credentials.

Step 3: Creating the Restriction Policy

  • Create a New Policy for Email Autopilot

    Use the provided App IDs and the Security Group ID:

    • For Email Autopilot: f377cb8a-8902-42a0-8568-3b3bf88d7c0e

    • Set AccessRight to RestrictAccess.

      New-ApplicationAccessPolicy -AppId "f377cb8a-8902-42a0-8568-3b3bf88d7c0e" -PolicyScopeGroupId "Cloudextend Outlook Users" -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group CloudExtend Outlook Users."

  • Create a New Policy for Calendar Autopilot

    Use the provided App IDs and the Security Group ID:

    • For Calendar Autopilot: 29a4c0e1-93ee-485a-b9a0-2932caaf5129

    • Set AccessRight to RestrictAccess.

      New-ApplicationAccessPolicy -AppId "29a4c0e1-93ee-485a-b9a0-2932caaf5129" -PolicyScopeGroupId "Cloudextend Outlook Users" -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group CloudExtend Outlook Users."

Step 4: Testing the Policy

  • Use the following command to check permissions for a given user:

    For Email Autopilot

    Test-ApplicationAccessPolicy -Identity user@cloudextend.dev -AppId f377cb8a-8902-42a0-8568-3b3bf88d7c0e

    For Calendar Autopilot

    Test-ApplicationAccessPolicy -Identity user@cloudextend.dev -AppId f29a4c0e1-93ee-485a-b9a0-2932caaf5129

Sample output when access is granted

AppId : f377cb8a-8902-42a0-8568-3b3bf88d7c0e

Mailbox : a5e26404-f30c-447b-ac11-e918851e179a

MailboxId : a5e26404-f30c-447b-ac11-e918851e179a

MailboxSid : S-1-5-21-442789921-1734088458-2035306496-28762352

AccessCheckResult : Granted

Sample output when access is denied

AppId : f377cb8a-8902-42a0-8568-3b3bf88d7c0e

Mailbox : a5e26404-f30c-447b-ac11-e918851e179a

MailboxId : a5e26404-f30c-447b-ac11-e918851e179a

MailboxSid : S-1-5-21-442789921-1734088458-2035306496-28762352

AccessCheckResult : Denied

Disclaimer:

  • Please be aware that changes to these settings may take effect after an hour to propagate throughout your Microsoft Exchange Online environment.

  • We recommend reaching out to Microsoft Support for assistance with any issues encountered while connecting to Exchange Online.

  • Before assigning a CloudExtend license to new users, ensure that you first add them to the designated security group.

Did this answer your question?