Limit Permissions to a Specific Mailbox

This document describes how to limit the permissions for an App Registration to a specific mailbox or a set of mailboxes.

PreviousCreate App Registration NextOpenID

Last updated 3 years ago

Was this helpful?

Limit Permissions to a Specific Mailbox

This document describes how to limit the permissions for an App Registration to a specific mailbox or a set of mailboxes.

Limit Permissions to a Specific Mailbox

When you have created an App Registration with Mail.ReadWrite permissions it is possible to read all mailboxes in the directory. Follow these instructions to limit the access to mailboxes in a specific security group.

For more information about limiting the permissions to a specific mailbox, read more at

Create a New Mail-Enabled Security Group

You can use an existing security group for your mailbox if you already have one that matches your needs. Continue with in that case.

Navigate to Exchange Admin Center,
Create a new mail-enabled security group

Select "Mail-enabled security" for the group type

Enter a name for the group

Enter an email address

Save the new group

Add one or members to the new group by clicking on the Group Name and select Members in the panel to the right

Add the member and save

Create an Application Access Policy

Follow these steps to connect your App Registration with the Mail-enabled Security Group by using Exchange Online PowerShell.

Execute the following statements in PowerShell console
First import the EchangeOnlineManagement module

Import-Module ExchangeOnlineManagement

Connect to EchangeOnlineManagement

Connect-ExchangeOnline -UserPrincipalName admin-user@flowington.com

Create the new access policy by connecting your Application ID your Security Group

New-ApplicationAccessPolicy -AppId B1A82AD6-34A8-4546-8BBD-A4B79625C74F -PolicyScopeGroupId flow-mailboxes@flowington.com -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group Flow-Mailboxes."

Test your new policy with an email address that is a member of the group and one that's not

Test-ApplicationAccessPolicy -Identity daisy@flowington.com -AppId B1A82AD6-34A8-4546-8BBD-A4B79625C74F

Sample output of an access policy test:

PS /Users/anbese> Test-ApplicationAccessPolicy -Identity daisy@flowington.com -AppId 0dba3db1-xxxx

RunspaceId        : -
AppId             : -
Mailbox           : Daisy
MailboxId         : -
MailboxSid        : -
AccessCheckResult : Granted


PS /Users/anbese> Test-ApplicationAccessPolicy -Identity lily@flowington.com -AppId 0dba3db1-xxxx

RunspaceId        : -
AppId             : -
Mailbox           : lily
MailboxId         : -
MailboxSid        : -
AccessCheckResult : Denied

Disconnect from Exchange Online PowerShell

Disconnect-ExchangeOnline

PreviousCreate App Registration NextOpenID

Last updated 3 years ago

Was this helpful?

Limit Permissions to a Specific Mailbox

For more information about limiting the permissions to a specific mailbox, read more at

Create a New Mail-Enabled Security Group

You can use an existing security group for your mailbox if you already have one that matches your needs. Continue with in that case.

Navigate to Exchange Admin Center,
Create a new mail-enabled security group

Select "Mail-enabled security" for the group type

Enter a name for the group

Enter an email address

Save the new group

Add one or members to the new group by clicking on the Group Name and select Members in the panel to the right

Add the member and save

Create an Application Access Policy

Follow these steps to connect your App Registration with the Mail-enabled Security Group by using Exchange Online PowerShell.

If you haven't used Exchange Online PowerShell before you need to set up your PowerShell environment first. Follow the instructions at

Execute the following statements in PowerShell console
First import the EchangeOnlineManagement module

Import-Module ExchangeOnlineManagement

Connect to EchangeOnlineManagement

Connect-ExchangeOnline -UserPrincipalName admin-user@flowington.com

Create the new access policy by connecting your Application ID your Security Group

New-ApplicationAccessPolicy -AppId B1A82AD6-34A8-4546-8BBD-A4B79625C74F -PolicyScopeGroupId flow-mailboxes@flowington.com -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group Flow-Mailboxes."

Test your new policy with an email address that is a member of the group and one that's not

Test-ApplicationAccessPolicy -Identity daisy@flowington.com -AppId B1A82AD6-34A8-4546-8BBD-A4B79625C74F

Sample output of an access policy test:

PS /Users/anbese> Test-ApplicationAccessPolicy -Identity daisy@flowington.com -AppId 0dba3db1-xxxx

RunspaceId        : -
AppId             : -
Mailbox           : Daisy
MailboxId         : -
MailboxSid        : -
AccessCheckResult : Granted


PS /Users/anbese> Test-ApplicationAccessPolicy -Identity lily@flowington.com -AppId 0dba3db1-xxxx

RunspaceId        : -
AppId             : -
Mailbox           : lily
MailboxId         : -
MailboxSid        : -
AccessCheckResult : Denied

Disconnect from Exchange Online PowerShell

Disconnect-ExchangeOnline