Control access with a mail-enabled security group
Granting consent during the onboard process allows Graph API access to all calendars in an Microsoft 365 tenant. We recommend applying an Application Access Policy and Management Scope to restrict access to specific calendars only. The Application Access Policy can either restrict or deny Graph API access to members of a mail-enabled security group.
There are two types of permissions that can be applied to the Application Access Policy, depending on whether you wish to allow or deny access to the mailboxes added to the mail-enabled security group.
a) Use DenyAccess to deny access to mailboxes in the group and allow access to all other mailboxes.
b) Use RestrictAccess to allow access to mailboxes in the group and restrict access to all other mailboxes.
How is it done?
Use the following PowerShell scripts to create a new mail-enabled security group, create an Application Access Policy and create the Management Scope, to restrict access to specific mailboxes.
- Login with your Microsoft 365 Admin account and then run the following scripts to create the session.
1. Set-ExecutionPolicy RemoteSigned 2. $UserCredential = Get-Credential 3. Connect-ExchangeOnline -Credential $UserCredential 4. $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection 5. Import-PSSession $Session -AllowClobber
- Check your Microsoft 365 Service account does not have full impersonation rights.
Get-ManagementRoleAssignment -RoleAssignee "Enter service account name"
- Create a new mail-enabled security group to manage the mailboxes that you will either allow or deny access to.
New-DistributionGroup -Name "Enter the name of new security group" -Alias "Enter the Alias" -Type security
- Create an Application Access Policy on the mail-enabled security group.
New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId "Enter Token Provider AD App ID" -PolicyScopeGroupId "Enter Email Enabled Security Group Mailbox ID" -Description "Restricted Access Group Policy"
- Request the group identity (needed when mailboxes are added to the security group)
$DG = Get-DistributionGroup -Identity "Enter Group Mailbox ID"
- Create Management Scope.
New-ManagementScope "Enter new name of management scope" -RecipientRestrictionFilter "MemberOfGroup -eq '$($DG.DistinguishedName)'"
- Assign Management Scope to group
New-ManagementRoleAssignment -Name:"Enter new name of role assignment" -Role:ApplicationImpersonation -User:"Enter service account mailbox id" -CustomRecipientWriteScope:"Enter name of management scope created in the previous step"