Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Restrict Exchange Online Application Access (Client Configuration Guide)

            Modified on Wed, 24 Dec at 10:19 PM

            Audience

            Client IT / Microsoft 365 Administrators

            Purpose

            This document explains how a client administrator can restrict an Exchange Online application’s mailbox access using Application Access Policies.
            This ensures the application can access only explicitly approved mailboxes, improving security and compliance.

            When Is This Required?

            Clients should follow this guide if:

            • An application uses EWS or Microsoft Graph with application permissions

            • Mailbox access must be limited to selected users

            • Security, audit, or compliance controls are required (ISO / ISMS / internal policy)

            Prerequisites (Client Responsibility)

            • Microsoft 365 Global Admin or Exchange Admin role

            • Exchange Online PowerShell (EXO v2)

            • Azure AD / Microsoft Entra ID PowerShell

            • Application AppId (provided separately)

            • Mailbox email addresses that need access

            Step 1: Create a Security Group

            Create a security group that defines which mailboxes the application may access.

            New-AzureADGroup `  -DisplayName "gp-ews-app-access@yourdomain.com" `  -MailNickName gp-ews-app-access `  -MailEnabled $false `  -SecurityEnabled $true

            Only mailboxes added to this group will be accessible to the application.

            Step 2: Create Application Access Policy

            Restrict the application so it can access only members of the security group.

            New-ApplicationAccessPolicy `  -AppId <APPLICATION_APP_ID> `  -PolicyScopeGroupId gp-ews-app-access@yourdomain.com `  -AccessRight RestrictAccess `  -Description "Restrict application access to approved mailboxes only"

            Result

            • Application access to all other mailboxes is blocked

            • Only users in the group are accessible

            Step 3: Test the Policy

            Verify whether a mailbox is allowed or denied.

            Test-ApplicationAccessPolicy `  -Identity user@yourdomain.com `  -AppId <APPLICATION_APP_ID>

            Output Interpretation

            • AccessAllowed : True → Access permitted

            • AccessAllowed : False → Access denied

            Step 4: Grant Mailbox Access

            To allow the application to access a mailbox, add the user to the group.

            Add-EXOMailboxUserToGroup `  -Identity "gp-ews-app-access@yourdomain.com" `  -MemberEmailAddress user@yourdomain.com

            ⏳ Changes may take 10–30 minutes to apply.

            Removing Access (Optional)

            Remove a Mailbox from Access

            Remove-EXOMailboxUserFromGroup `  -Identity "gp-ews-app-access@yourdomain.com" `  -MemberEmailAddress user@yourdomain.com

            Remove the Application Access Policy

            Remove-ApplicationAccessPolicy -Identity "<Policy Identity>"

            ⚠ Removing the policy restores the application’s default mailbox access behavior.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0