Control access with a mail-enabled security group and an Application Access Policy

Granting consent during the onboard process allows Graph API to get notifications from all calendars in a Microsoft 365 tenant. We recommend applying an Application Access Policy to restrict access to specific calendars only. The Application Access Policy can either allow or deny notifications to Graph API from members of a mail-enabled security group.

Two types of permissions can be applied to the Application Access Policy, depending on whether you wish to allow or deny access to the calendars of the users added to the mail-enabled security group.

a) Use DenyAccess to deny access to the calendars belonging to the group and allow access to all other user calendars.
b) Use RestrictAccess to allow access to the calendars belonging to the group and restrict access to all other calendars.

Learn more about New-ApplicationAccessPolicy at Microsoft.

How is it done?

Use the following PowerShell scripts to create a new mail-enabled security group and create an Application Access Policy to restrict access to specific calendars.

  1. Login with your Microsoft 365 Admin account and run the following scripts to create the session.
Set-ExecutionPolicy RemoteSigned
$UserCredential = Get-Credential
Connect-ExchangeOnline -Credential $UserCredential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -AllowClobber
  1. Create a new mail-enabled security group to manage the calendars that you will either allow or deny access to.
New-DistributionGroup -Name "Enter the name of new security group" -Alias "Enter the Alias" -Type security
  1. Create an Application Access Policy for the mail-enabled security group.
New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId "Enter Token Provider AD App ID" -PolicyScopeGroupId "Enter Email Enabled Security Group Mailbox ID" -Description "Restricted Access Group Policy"

Feedback

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Please do not use this for support questions.
Condeco Support

Post Comment