Show Hide

 

Feedback

  • Contents
 

Limiting Mailbox access by Application Access Policy

  • Creating Mail Enabled Security Group:
  1. Login to https://admin.exchange.microsoft.com/ with your admin credentials (EWS Admin: abc@def.com, pw: abcdef#1111)
  2. Navigate to Recipients Groups > Mail-enabled security.
  3. Click Add a group and follow the instructions in the details pane.
  4. Under Choose a group type section, select Mail-enabled security and click Next.
  5. Under Set up the basics section, enter the details and click Next.
  6. Add the members you want to this Group.

     

  • Run the below commands in powershell:
  1. [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
  2. Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
  3. Install-Module -Name PowerShellGet -Force
  4. Install-Module -Name ExchangeOnlineManagement
  5. Set-ExecutionPolicy -ExecutionPolicy Unrestricted
  6. Import-Module ExchangeOnlineManagement
  7. Connect-ExchangeOnline -UserPrincipalName abc@efg.com (after this enter password in window)
  • Creating application policy(Deny Permission):

          Run the below command in powershell

New-ApplicationAccessPolicy -AppId de038d8c-cfea-45a0-b309-9f9683b71a68 -PolicyScopeGroupId <abce@efgh.onmicrosoft.com> -AccessRight DenyAccess -Description "Deny access to this app to members of group ProtectedUsers."

          

  • To test the application policy:

          Test-ApplicationAccessPolicy -Identity <abc@def.com> -AppId 6a3724e9-c78d-4c91-8869-b389fd6ae805

          

          Test-ApplicationAccessPolicy -Identity <abc@def.com> -AppId de038d8c-cfea-45a0-b309-9f9683b71a68

          

          

  • Creating application policy(Restrict Permission):

          

  • Since abce@deg-testing.com is the Service Provider account on behalf of which email exchange is happening in IA, this account should also be added as the member of the group including with the other user group of members of the group.
  • Service provider account should have access to the mailboxes for the permissions to apply.
  • New-ApplicationAccessPolicy -AppId de038d8c-cfea-45a0-b309-9f9683b71a68 -PolicyScopeGroupId <abce@efgh.onmicrosoft.com> -AccessRight DenyAccess -Description  by "Restrict access to this app to members of group ProtectedUsers."

          

          Test-ApplicationAccessPolicy -Identity <abcd@efg-testing.com> -AppId de038d8c-cfea-45a0-b309-9f9683b71a68

         

         

         Test-ApplicationAccessPolicy -Identity <abcd@efg-testing.com> -AppId de038d8c-cfea-45a0-b309-9f9683b71a68

        

        

  • Deleting application policy:

Remove-ApplicationAccessPolicy -Identity "c96cbe3a-bc65-47bb-93d7-1143955fb8ea\de038d8c-cfea-45a0-b309-9f9683b71a68:S-1-5-21-651077753-2242224735-496758556-38211132;5f2fe90e-4827-4890-be79-b4e7d61ebff2"