# Limit Permissions to a Specific Mailbox ## Limit Permissions to a Specific Mailbox {% hint style="warning" %} When you have created an App Registration with Mail.ReadWrite permissions it is possible to read **all** mailboxes in the directory. Follow these instructions to limit the access to mailboxes in a specific security group. {% endhint %} For more information about limiting the permissions to a specific mailbox, read more at ### Create a New Mail-Enabled Security Group {% hint style="info" %} You can use an existing security group for your mailbox if you already have one that matches your needs. Continue with [Create an Application Access Policy](https://docs.novacura.com/extensibility-and-integration/products/active-directory/microsoft-graph/create-app-registration#create-an-application-access-policy) in that case. {% endhint %} * Navigate to Exchange Admin Center, * Create a new mail-enabled security group

* Select "Mail-enabled security" for the group type

* Enter a name for the group

* Enter an email address

* Save the new group

* Add one or members to the new group by clicking on the Group Name and select Members in the panel to the right

* Add the member and save

### Create an Application Access Policy Follow these steps to connect your App Registration with the Mail-enabled Security Group by using Exchange Online PowerShell. If you haven't used Exchange Online PowerShell before you need to set up your PowerShell environment first. Follow the instructions at [Install and maintain the EXO V2 module](https://docs.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps#install-and-maintain-the-exo-v2-module) * Execute the following statements in PowerShell console * First import the EchangeOnlineManagement module ``` Import-Module ExchangeOnlineManagement ``` * Connect to EchangeOnlineManagement ``` Connect-ExchangeOnline -UserPrincipalName admin-user@flowington.com ``` * Create the new access policy by connecting your Application ID your Security Group ``` New-ApplicationAccessPolicy -AppId B1A82AD6-34A8-4546-8BBD-A4B79625C74F -PolicyScopeGroupId flow-mailboxes@flowington.com -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group Flow-Mailboxes." ``` * Test your new policy with an email address that is a member of the group and one that's not ``` Test-ApplicationAccessPolicy -Identity daisy@flowington.com -AppId B1A82AD6-34A8-4546-8BBD-A4B79625C74F ``` Sample output of an access policy test: ``` PS /Users/anbese> Test-ApplicationAccessPolicy -Identity daisy@flowington.com -AppId 0dba3db1-xxxx RunspaceId : - AppId : - Mailbox : Daisy MailboxId : - MailboxSid : - AccessCheckResult : Granted PS /Users/anbese> Test-ApplicationAccessPolicy -Identity lily@flowington.com -AppId 0dba3db1-xxxx RunspaceId : - AppId : - Mailbox : lily MailboxId : - MailboxSid : - AccessCheckResult : Denied ``` * Disconnect from Exchange Online PowerShell ``` Disconnect-ExchangeOnline ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.novacura.com/extensibility-and-integration/products/active-directory/microsoft-graph/how-to-guides/limit-permissions-to-a-specific-mailbox.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.