To restrict MS Graph access to a specific mailbox you can follow these steps.
Prerequisites:
- MS Graph mail application as described – Application id is needed for setup
- Azure user principal name for mail account
Setup permissions:
- Open a PowerShell CLI in admin mode
- If not already installed, then install the module by running this command:
Install-Module -Name ExchangeOnlineManagement -Scope AllUsers
- Connect to Exchange Online by running this command (Replace admin@contoso.com with your own account with the necessary Azure rights):
Connect-ExchangeOnline -UserPrincipalName admin@contoso.com
- Add the access policy by running this command:
New-ApplicationAccessPolicy -AppId <appId> -PolicyScopeGroupId <user principal name for mailbox> -AccessRight RestrictAccess -Description "Restrict this app to a specific mailbox"
You can test the permissions by running this command:
Test-ApplicationAccessPolicy -AppId <appId> -Identity <use principal name for mailbox>
It will show status (AccessCheckResult – Granted or Denied) for the application and mailbox.
It can take up to 1 hour for the changes to take effect in Microsoft Graph REST API calls.
Comments
Please sign in to leave a comment.