Skip to main content
All CollectionsFAQ
FAQ: Configuring Application Permissions Restriction in Microsoft Exchange Online
FAQ: Configuring Application Permissions Restriction in Microsoft Exchange Online

ExtendSync Outlook | This is the step-by-step process of Grant Graph API to Selected Users Only

Updated over a month ago

These steps are OPTIONAL.

Some Microsoft administrators have expressed a desire to limit application access to a specific set of users. Since this functionality cannot be controlled at the application level we have provided these steps from Microsoft to accomplish them.

Microsoft empowers administrators to finely control application permissions for Exchange Online mailboxes, allowing for a more secure environment. This guide will delve into the step-by-step process of implementing a policy restricting application access to specific mailboxes. Following these steps ensures that applications, such as ExtendSync Outlook Autopilot, can only access data for users within the defined policy.

Step 1: Creating a Security Group

  • Log in to Admin Exchange Online.

  • Visit https://admin.exchange.microsoft.com and log in using your administrator credentials.

    Create a New Mail-Enabled Security Group

    1. Navigate to the group management section.

    2. Create a new mail-enabled security group.

    3. Assign a user-friendly name, like CloudExtend Outlook Users (which also serves as the group ID).

    4. Assign a group email for seamless communication within the group.

    5. Add owners to the group for future user management.

    6. Add users to grant access to CloudExtend Autopilot.

Step 2: Connecting to Exchange Online using PowerShell

  • Open PowerShell as Administrator.

    • Launch PowerShell with administrative privileges.

    • Import ExchangeOnlineManagement Module:

    • Execute the command:

      Import-Module ExchangeOnlineManagement

  • Connect to Exchange Online

    • Use the command by replacing the UserPrincipalName
      Connect-ExchangeOnline -UserPrincipalName admin@cloudextend.dev

    • A login window may pop up; enter your Microsoft account credentials.

Step 3: Creating the Restriction Policy

  • Create a New Policy for Email Autopilot

    Use the provided App IDs and the Security Group ID:

    • For Email Autopilot: f377cb8a-8902-42a0-8568-3b3bf88d7c0e

    • Set AccessRight to RestrictAccess.

      New-ApplicationAccessPolicy -AppId "f377cb8a-8902-42a0-8568-3b3bf88d7c0e" -PolicyScopeGroupId "Cloudextend Outlook Users" -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group CloudExtend Outlook Users."

  • Create a New Policy for Calendar Autopilot

    Use the provided App IDs and the Security Group ID:

    • For Calendar Autopilot: 29a4c0e1-93ee-485a-b9a0-2932caaf5129

    • Set AccessRight to RestrictAccess.

      New-ApplicationAccessPolicy -AppId "29a4c0e1-93ee-485a-b9a0-2932caaf5129" -PolicyScopeGroupId "Cloudextend Outlook Users" -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group CloudExtend Outlook Users."

Step 4: Testing the Policy

  • Use the following command to check permissions for a given user:

    For Email Autopilot

    Test-ApplicationAccessPolicy -Identity user@cloudextend.dev -AppId f377cb8a-8902-42a0-8568-3b3bf88d7c0e

    For Calendar Autopilot

    Test-ApplicationAccessPolicy -Identity user@cloudextend.dev -AppId f29a4c0e1-93ee-485a-b9a0-2932caaf5129

Sample output when access is granted

AppId : f377cb8a-8902-42a0-8568-3b3bf88d7c0e

Mailbox : a5e26404-f30c-447b-ac11-e918851e179a

MailboxId : a5e26404-f30c-447b-ac11-e918851e179a

MailboxSid : S-1-5-21-442789921-1734088458-2035306496-28762352

AccessCheckResult : Granted

Sample output when access is denied

AppId : f377cb8a-8902-42a0-8568-3b3bf88d7c0e

Mailbox : a5e26404-f30c-447b-ac11-e918851e179a

MailboxId : a5e26404-f30c-447b-ac11-e918851e179a

MailboxSid : S-1-5-21-442789921-1734088458-2035306496-28762352

AccessCheckResult : Denied

Disclaimer:

  • Please be aware that changes to these settings may take effect after an hour to propagate throughout your Microsoft Exchange Online environment.

  • We recommend reaching out to Microsoft Support for assistance with any issues encountered while connecting to Exchange Online.

  • Before assigning a ExtendSync license to new users, ensure that you first add them to the designated security group.

Did this answer your question?