Control access with a mail-enabled security group and an Application Access Policy
Granting consent during the onboard process allows Graph API to get notifications from all calendars in a Microsoft 365 tenant. We recommend applying an Application Access Policy to restrict access to specific calendars only. The Application Access Policy can either allow or deny notifications to Graph API from members of a mail-enabled security group.
Two types of permissions can be applied to the Application Access Policy, depending on whether you wish to allow or deny access to the calendars of the users added to the mail-enabled security group.
a) Use DenyAccess to deny access to the calendars belonging to the group and allow access to all other user calendars.
b) Use RestrictAccess to allow access to the calendars belonging to the group and restrict access to all other calendars.
How is it done?
Use the following PowerShell scripts to create a new mail-enabled security group and create an Application Access Policy to restrict access to specific calendars.
- Login with your Microsoft 365 Admin account and run the following scripts to create the session.
Set-ExecutionPolicy RemoteSigned $UserCredential = Get-Credential Connect-ExchangeOnline -Credential $UserCredential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session -AllowClobber
- Create a new mail-enabled security group to manage the calendars that you will either allow or deny access to.
New-DistributionGroup -Name "Enter the name of new security group" -Alias "Enter the Alias" -Type security
- Create an Application Access Policy for the mail-enabled security group.
New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId "Enter Token Provider AD App ID" -PolicyScopeGroupId "Enter Email Enabled Security Group Mailbox ID" -Description "Restricted Access Group Policy"