Skip to content
  • There are no suggestions because the search field is empty.

Azure Application Access Policies

This document will guide you on how Application access policies can restrict an application's access, for example, "Group.Read.All" to a subset of mail-enabled security groups in Exchange Online.

To limit the scope of Group.Read.All permissions in Microsoft Graph to specific mail-enabled security groups, you can use the following approach

1- Ensure you have the necessary Exchange Online PowerShell module

Connect-ExchangeOnline -UserPrincipalName <admin_user>@<domain>.com

2- Create a security group in Azure AD or use an existing mail-enabled security group. Ensure the group is mail-enabled and contains the users/groups you want the application to access.

3- Create the application access policy: Use the New-ApplicationAccessPolicy cmdlet to create the policy that limits the app's access to the desired groups:

New-ApplicationAccessPolicy -AppId <YourAppId> -PolicyScopeGroupId <MailEnabledSecurityGroupId> -AccessRight RestrictAccess -Description "Limit app access to this group"

AppId: This is the Application ID (Client ID) of your registered application in Azure AD.
PolicyScopeGroupId: The Object ID of the mail-enabled security group you want to allow access to.

4- Test the policy (optional): You can verify the policy using 

Test-ApplicationAccessPolicy -Identity <user@domain.com> -AppId <YourAppId>