search

Limit Permissions to a Specific Mailbox

This document describes how to limit the permissions for an App Registration to a specific mailbox or a set of mailboxes.

hashtag
Limit Permissions to a Specific Mailbox

circle-exclamation

When you have created an App Registration with Mail.ReadWrite permissions it is possible to read all mailboxes in the directory. Follow these instructions to limit the access to mailboxes in a specific security group.

For more information about limiting the permissions to a specific mailbox, read more at https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-accessarrow-up-right

hashtag
Create a New Mail-Enabled Security Group

circle-info

You can use an existing security group for your mailbox if you already have one that matches your needs. Continue with Create an Application Access Policy in that case.

  • Select "Mail-enabled security" for the group type

  • Enter a name for the group

  • Enter an email address

  • Save the new group

  • Add one or members to the new group by clicking on the Group Name and select Members in the panel to the right

  • Add the member and save

hashtag
Create an Application Access Policy

Follow these steps to connect your App Registration with the Mail-enabled Security Group by using Exchange Online PowerShell.

If you haven't used Exchange Online PowerShell before you need to set up your PowerShell environment first. Follow the instructions at Install and maintain the EXO V2 modulearrow-up-right

  • Execute the following statements in PowerShell console

  • First import the EchangeOnlineManagement module

  • Connect to EchangeOnlineManagement

  • Create the new access policy by connecting your Application ID your Security Group

  • Test your new policy with an email address that is a member of the group and one that's not

Sample output of an access policy test:

  • Disconnect from Exchange Online PowerShell

PreviousCreate App RegistrationNextOpenID

Last updated

Was this helpful?