These steps are OPTIONAL.
Some Microsoft administrators have expressed a desire to limit application access to a specific set of users.
Microsoft empowers administrators to finely control application permissions for Exchange Online mailboxes, allowing for a more secure environment. This guide will delve into the step-by-step process of implementing a policy restricting application access to specific mailboxes. Following these steps ensures that applications, such as CloudExtend Outlook Autopilot, can only access data for users within the defined policy.
Step 1: Creating a Security Group
Log in to Admin Exchange Online.
Visit https://admin.exchange.microsoft.com and log in using your administrator credentials.
Create a New Mail-Enabled Security Group
Navigate to the group management section.
Create a new mail-enabled security group.
Assign a user-friendly name, like CloudExtend Outlook Users (which also serves as the group ID).
Assign a group email for seamless communication within the group.
Add owners to the group for future user management.
Add users to grant access to CloudExtend Autopilot.
Step 2: Connecting to Exchange Online using PowerShell
Reference: Connect to Exchange Online PowerShell
Open PowerShell as Administrator.
Launch PowerShell with administrative privileges.
Import ExchangeOnlineManagement Module:
Execute the command:
Import-Module ExchangeOnlineManagement
Connect to Exchange Online
Use the command by replacing the UserPrincipalName
Connect-ExchangeOnline -UserPrincipalName admin@cloudextend.devA login window may pop up; enter your Microsoft account credentials.
Step 3: Creating the Restriction Policy
Reference: New-ApplicationAccessPolicy
Create a New Policy for Email Autopilot
Use the provided App IDs and the Security Group ID:
For Email Autopilot: f377cb8a-8902-42a0-8568-3b3bf88d7c0e
Set AccessRight to RestrictAccess.
New-ApplicationAccessPolicy -AppId "f377cb8a-8902-42a0-8568-3b3bf88d7c0e" -PolicyScopeGroupId "Cloudextend Outlook Users" -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group CloudExtend Outlook Users."
Create a New Policy for Calendar Autopilot
Use the provided App IDs and the Security Group ID:
For Calendar Autopilot: 29a4c0e1-93ee-485a-b9a0-2932caaf5129
Set AccessRight to RestrictAccess.
New-ApplicationAccessPolicy -AppId "29a4c0e1-93ee-485a-b9a0-2932caaf5129" -PolicyScopeGroupId "Cloudextend Outlook Users" -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group CloudExtend Outlook Users."
Step 4: Testing the Policy
Use the following command to check permissions for a given user:
For Email Autopilot
Test-ApplicationAccessPolicy -Identity user@cloudextend.dev -AppId f377cb8a-8902-42a0-8568-3b3bf88d7c0eFor Calendar Autopilot
Test-ApplicationAccessPolicy -Identity user@cloudextend.dev -AppId f29a4c0e1-93ee-485a-b9a0-2932caaf5129
Sample output when access is granted
AppId : f377cb8a-8902-42a0-8568-3b3bf88d7c0e
Mailbox : a5e26404-f30c-447b-ac11-e918851e179a
MailboxId : a5e26404-f30c-447b-ac11-e918851e179a
MailboxSid : S-1-5-21-442789921-1734088458-2035306496-28762352
AccessCheckResult : Granted
Sample output when access is denied
AppId : f377cb8a-8902-42a0-8568-3b3bf88d7c0e
Mailbox : a5e26404-f30c-447b-ac11-e918851e179a
MailboxId : a5e26404-f30c-447b-ac11-e918851e179a
MailboxSid : S-1-5-21-442789921-1734088458-2035306496-28762352
AccessCheckResult : Denied
Disclaimer:
|