Control access to calendars with a mail-enabled security group
Granting consent during the onboarding process allows Graph API access to all calendars in a Microsoft 365 tenant. We recommend applying an Application Access Policy and Management Scope to restrict access to specific calendars only. The Application Access Policy can either restrict or deny Graph API access to members of a mail-enabled security group.
There are two types of permissions that can be applied to the Application Access Policy, depending on whether you wish to allow or deny access to the mailboxes added to the mail-enabled security group.
a) Use DenyAccess to deny access to mailboxes in the group and allow access to all other mailboxes.
b) Use RestrictAccess to allow access to mailboxes in the group and restrict access to all other mailboxes.
Learn more about New-ApplicationAccessPolicy at Microsoft https://docs.microsoft.com/en-us/powershell/module/exchange/new-applicationaccesspolicy?view=exchange-ps/
How is it done?
Use the following PowerShell scripts to create a new mail-enabled security group, create an Application Access Policy and create the Management Scope, to restrict access to specific mailboxes.
- Connect to Exchange Online using the Connect-ExchangeOnline Powershell cmdlet and log in.
- If the Connect-ExchangeOnline cmdlet is not recognized, you may need to install the Exchange Online PowerShell module with the command Install-Module ExchangeOnlineManagement.
- If your system policy prevents the Connect-ExchangeOnline from running, it can be bypassed with the PowerShell command:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
- Check your Microsoft 365 Service account does not have full impersonation rights.
Get-ManagementRoleAssignment -RoleAssignee "Enter service account name"
There should not be results with Role “ApplicationImpersonation“ and RoleAssigneeType “User“.
- Create a new mail-enabled security group to manage the mailboxes that you will either allow or deny access to.
New-DistributionGroup -Name "Enter the name of new security group" -Alias "Enter the Alias" -Type security
- Create an Application Access Policy on the mail-enabled security group.
New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId "Enter Token Provider AD App ID" -PolicyScopeGroupId "Enter Email Enabled Security Group Mailbox ID" -Description "Restricted Access Group Policy"
-AccessRight: Replace “RestrictAccess” with “DenyAccess” to deny access to the calendars in the security group and allow access to all other calendars.
-AppId: To find your Token Provider AD App ID run
Get-AzureADApplication -Filter "DisplayName eq 'CondecoTokenProviderAD'"
- Request the group identity (needed when mailboxes are added to the security group)
$DG = Get-DistributionGroup -Identity "Enter Group Mailbox ID"
- Create Management Scope.
New-ManagementScope "Enter new name of management scope" -RecipientRestrictionFilter "MemberOfGroup -eq '$($DG.DistinguishedName)'"
- Assign Management Scope to group
New-ManagementRoleAssignment -Name:"Enter new name of role assignment" -Role:ApplicationImpersonation -User:"Enter service account mailbox id" -CustomRecipientWriteScope:"Enter name of management scope created in the previous step"
Microsoft 365 takes at least one hour to replicate changes to the Application Access Policy.