This document will guide you on how Application access policies can restrict an application's access, for example, "Group.Read.All" to a subset of mail-enabled security groups in Exchange Online.
To limit the scope of Group.Read.All permissions in Microsoft Graph to specific mail-enabled security groups, you can use the following approach
1- Ensure you have the necessary Exchange Online PowerShell module
Connect-ExchangeOnline -UserPrincipalName <admin_user>@<domain>.com
2- Create a security group in Azure AD or use an existing mail-enabled security group. Ensure the group is mail-enabled and contains the users/groups you want the application to access.
3- Create the application access policy: Use the New-ApplicationAccessPolicy cmdlet to create the policy that limits the app's access to the desired groups:
New-ApplicationAccessPolicy -AppId <YourAppId> -PolicyScopeGroupId <MailEnabledSecurityGroupId> -AccessRight RestrictAccess -Description "Limit app access to this group"
AppId: This is the Application ID (Client ID) of your registered application in Azure AD.PolicyScopeGroupId: The Object ID of the mail-enabled security group you want to allow access to.
4- Test the policy (optional): You can verify the policy using
Test-ApplicationAccessPolicy -Identity <user@domain.com> -AppId <YourAppId>