Setting up Exchange access policy to restrict accessible mailboxes

Updated by Jaspreet Bakshi

Exchange access policy is essentially a set of rules defined on the Exchange server, which impose mailbox related restriction on apps. This allows an independent, "sideways" method to guarantee that the DotAlign system can, under no circumstances, analyze mailboxes beyond the officially designated ones. More information about setting up an Exchange access policy can be found here.

The following are the steps used to set up a new Exchange application access policy using PowerShell commands. By using this policy, you can control what mailboxes the DotAlign solution will be allowed to access.

  1. Connect to Exchange using PowerShell - The following commands will load the appropriate PowerShell modules that relate to Exchange functionality, and will allow you to authenticate with your Entra ID account to be able to run other commands.
> Import-Module ExchangeOnlineManagement
> Connect-ExchangeOnline

Details and other options related to connecting to Exchange using PowerShell, are described here.

  1. Obtain the client id of the app registration and the group id of the Entra group - The client id can be obtained from the Azure portal by going to Entra ID > App registrations > DotAlign's primary app registration. The group referenced here, is a mail-enabled security group, that can be created inside Entra.
  2. Create the Exchange application access policy - The policy can be created using the following command, plugging in the values for the client id and the group id.
> New-ApplicationAccessPolicy `
    -AppId <CLIENT_ID_OF_APP_REGISTRATION> `
    -PolicyScopeGroupId <GUID_OF_ENTRA_GROUP> `
    -AccessRight RestrictAccess `
    -Description "Restrict this app to members of mail enabled security group"

As per the documentation of New-ApplicationAccessPolicy, the entity or principal that is the target of the policy is specified using the "-PolicyScopeGroupId" parameter. The value supplied for that parameter can be any of the following:

  • Name
  • Distinguished name (DN)
  • Display name
  • Email address
  • GUID

How Did We Do?