Today we’re excited to announce the release of the Application Access Policy feature for Exchange Online PowerShell. This feature allows Exchange Online administrators to scope application permissions for Microsoft Graph to allow access to specified mailboxes in their Office 365 tenant.
Why would you need to do this? Well, imagine Contoso, an Office 365 customer that has thousands of employees spread across multiple departments. Contoso has built and deployed an appointment booking app that helps their customers book service appointments with specialist technicians employed by the company.
The app Contoso built uses Microsoft Graph to identify free appointment times on the technicians’ calendars and uses them to book appointments. Because the app requires access to multiple technicians’ mailboxes, it uses the OAuth 2.0 client credentials grant flow, and application permissions were granted to it, enabling the app to access all mailboxes in the organization, not just the mailboxes belonging to technicians.
Using Application Access Policies, Contoso administrators can now restrict the app’s access to only the technicians’ mailboxes via a security group, and disallow its access to other mailboxes.
You can use the following steps to configure an application access policy. These steps are specific to Exchange Online resources and do not apply to other Microsoft Graph workloads.
Create a new mail-enabled security group or use an existing one and identify the email address for the group.
Create an application access policy.
Run the following command, replacing the AppId, PolicyScopeGroupId, and Description arguments for your own values.
New-ApplicationAccessPolicy -AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b -PolicyScopeGroupId EvenUsers@contoso.com -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group EvenUsers."
You can use the following links to learn more about this feature.