# Limit Permissions to a Specific Mailbox ## Limit Permissions to a Specific Mailbox {% hint style="warning" %} When you have created an App Registration with Mail.ReadWrite permissions it is possible to read **all** mailboxes in the directory. Follow these instructions to limit the access to mailboxes in a specific security group. {% endhint %} For more information about limiting the permissions to a specific mailbox, read more at ### Create a New Mail-Enabled Security Group {% hint style="info" %} You can use an existing security group for your mailbox if you already have one that matches your needs. Continue with [Create an Application Access Policy](https://docs.novacura.com/extensibility-and-integration/products/active-directory/microsoft-graph/create-app-registration#create-an-application-access-policy) in that case. {% endhint %} * Navigate to Exchange Admin Center, * Create a new mail-enabled security group
* Select "Mail-enabled security" for the group type
* Enter a name for the group
* Enter an email address
* Save the new group
* Add one or members to the new group by clicking on the Group Name and select Members in the panel to the right
* Add the member and save
### Create an Application Access Policy Follow these steps to connect your App Registration with the Mail-enabled Security Group by using Exchange Online PowerShell. If you haven't used Exchange Online PowerShell before you need to set up your PowerShell environment first. Follow the instructions at [Install and maintain the EXO V2 module](https://docs.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps#install-and-maintain-the-exo-v2-module) * Execute the following statements in PowerShell console * First import the EchangeOnlineManagement module ``` Import-Module ExchangeOnlineManagement ``` * Connect to EchangeOnlineManagement ``` Connect-ExchangeOnline -UserPrincipalName admin-user@flowington.com ``` * Create the new access policy by connecting your Application ID your Security Group ``` New-ApplicationAccessPolicy -AppId B1A82AD6-34A8-4546-8BBD-A4B79625C74F -PolicyScopeGroupId flow-mailboxes@flowington.com -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group Flow-Mailboxes." ``` * Test your new policy with an email address that is a member of the group and one that's not ``` Test-ApplicationAccessPolicy -Identity daisy@flowington.com -AppId B1A82AD6-34A8-4546-8BBD-A4B79625C74F ``` Sample output of an access policy test: ``` PS /Users/anbese> Test-ApplicationAccessPolicy -Identity daisy@flowington.com -AppId 0dba3db1-xxxx RunspaceId : - AppId : - Mailbox : Daisy MailboxId : - MailboxSid : - AccessCheckResult : Granted PS /Users/anbese> Test-ApplicationAccessPolicy -Identity lily@flowington.com -AppId 0dba3db1-xxxx RunspaceId : - AppId : - Mailbox : lily MailboxId : - MailboxSid : - AccessCheckResult : Denied ``` * Disconnect from Exchange Online PowerShell ``` Disconnect-ExchangeOnline ```