These steps are OPTIONAL.
Some Microsoft administrators have expressed a desire to limit application access to a specific set of users. Since this functionality cannot be controlled at the application level we have provided these steps from Microsoft to accomplish them.
Microsoft empowers administrators to finely control application permissions for Exchange Online mailboxes, allowing for a more secure environment. This guide will delve into the step-by-step process of implementing a policy restricting application access to specific mailboxes. Following these steps ensures that applications, such as ExtendSync Outlook Autopilot, can only access data for users within the defined policy.
Step 1: Creating a Security Group
Log in to Admin Exchange Online.
Visit https://admin.exchange.microsoft.com and log in using your administrator credentials.
Create a New Mail-Enabled Security Group
Navigate to the group management section.
Create a new mail-enabled security group.
Assign a user-friendly name, like CloudExtend Outlook Users (which also serves as the group ID).
Assign a group email for seamless communication within the group.
Add owners to the group for future user management.
Add users to grant access to CloudExtend Autopilot.
Step 2: Connecting to Exchange Online using PowerShell
Reference: Connect to Exchange Online PowerShell
Open PowerShell as Administrator.
Launch PowerShell with administrative privileges.
Import ExchangeOnlineManagement Module:
Execute the command:
Import-Module ExchangeOnlineManagement
Connect to Exchange Online
Use the command by replacing the UserPrincipalName
Connect-ExchangeOnline -UserPrincipalName admin@cloudextend.dev
A login window may pop up; enter your Microsoft account credentials.
Step 3: Creating the Restriction Policy
Reference: New-ApplicationAccessPolicy
Create a New Policy for Email Autopilot
Use the provided App IDs and the Security Group ID:
For Email Autopilot: f377cb8a-8902-42a0-8568-3b3bf88d7c0e
Set AccessRight to RestrictAccess.
New-ApplicationAccessPolicy -AppId "f377cb8a-8902-42a0-8568-3b3bf88d7c0e" -PolicyScopeGroupId "Cloudextend Outlook Users" -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group CloudExtend Outlook Users."
Create a New Policy for Calendar Autopilot
Use the provided App IDs and the Security Group ID:
For Calendar Autopilot: 29a4c0e1-93ee-485a-b9a0-2932caaf5129
Set AccessRight to RestrictAccess.
New-ApplicationAccessPolicy -AppId "29a4c0e1-93ee-485a-b9a0-2932caaf5129" -PolicyScopeGroupId "Cloudextend Outlook Users" -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group CloudExtend Outlook Users."
Step 4: Testing the Policy
Use the following command to check permissions for a given user:
For Email Autopilot
Test-ApplicationAccessPolicy -Identity user@cloudextend.dev -AppId f377cb8a-8902-42a0-8568-3b3bf88d7c0e
For Calendar Autopilot
Test-ApplicationAccessPolicy -Identity user@cloudextend.dev -AppId f29a4c0e1-93ee-485a-b9a0-2932caaf5129
Sample output when access is granted
AppId : f377cb8a-8902-42a0-8568-3b3bf88d7c0e
Mailbox : a5e26404-f30c-447b-ac11-e918851e179a
MailboxId : a5e26404-f30c-447b-ac11-e918851e179a
MailboxSid : S-1-5-21-442789921-1734088458-2035306496-28762352
AccessCheckResult : Granted
Sample output when access is denied
AppId : f377cb8a-8902-42a0-8568-3b3bf88d7c0e
Mailbox : a5e26404-f30c-447b-ac11-e918851e179a
MailboxId : a5e26404-f30c-447b-ac11-e918851e179a
MailboxSid : S-1-5-21-442789921-1734088458-2035306496-28762352
AccessCheckResult : Denied
Disclaimer:
|