Restrict MS Graph to a specific mailbox

To restrict MS Graph access to a specific mailbox you can follow these steps.

Prerequisites:

1. MS Graph mail application as described – Application id is needed for setup
2. Azure user principal name for mail account

Setup permissions:

1. Open a PowerShell CLI in admin mode
2. If not already installed, then install the module by running this command:

Install-Module -Name ExchangeOnlineManagement -Scope AllUsers

3. Connect to Exchange Online by running this command (Replace admin@contoso.com with your own account with the necessary Azure rights):

Connect-ExchangeOnline -UserPrincipalName admin@contoso.com

4. Add the access policy by running this command:

New-ApplicationAccessPolicy -AppId <appId> -PolicyScopeGroupId <user principal name for mailbox>
 -AccessRight RestrictAccess -Description "Restrict this app to a specific mailbox"

You can test the permissions by running this command:

Test-ApplicationAccessPolicy -AppId <appId> -Identity <use principal name for mailbox>

It will show status (AccessCheckResult – Granted or Denied) for the application and mailbox.

It can take up to 1 hour for the changes to take effect in Microsoft Graph REST API calls.