When granting consent to our Calendar Sync application in Entra ID, it provides deskbird Graph API access to all calendars within a Microsoft 365 tenant. We recommend implementing an Application Access Policy and Management Scope to restrict access to specific calendars and to ensure controlled access.
The Application Access Policy can be configured to restrict or deny Graph API access to members of a mail-enabled security group.
-
Permissions
There are two permission options that can be applied within the Application Access Policy, based on your requirements for granting or denying access to the mailboxes added to the mail-enabled security group:
a) DenyAccess: This option denies access to mailboxes within the group while allowing access to all other mailboxes.
b) RestrictAccess: This option allows access to mailboxes within the group while restricting access to all other mailboxes.
By carefully configuring the Application Access Policy and Management Scope, you can ensure the appropriate level of access control for your organization's calendars.
Learn more about New-ApplicationAccessPolicy at Microsoft here.
-
How to set up an Application Access Policy:
Use the following PowerShell scripts to create a new mail-enabled security group, an Application Access Policy and the Management Scope, to restrict access to specific mailboxes.
- Log in with your Microsoft 365 admin account and run the following scripts to create the session.
| 1 | Set-ExecutionPolicy RemoteSigned |
| 2 | $UserCredential = Get-Credential |
| 3 | Connect-ExchangeOnline -Credential $UserCredential |
| 4 | $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection |
| 5 | Import-PSSession $Session -AllowClobber |
- Check that your Microsoft 365 Service account does not have full impersonation rights.
- Create a new mail-enabled security group to manage the mailboxes, which you will either allow or deny access to.
| 6 | New-DistributionGroup -Name "Enter the name of new security group" -Alias "Enter the Alias" -Type security |
- Create an Application Access Policy on the mail-enabled security group.
| 7 |
New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId "Enter Token Provider AD App ID" -PolicyScopeGroupId "Enter Email Enabled Security Group Mailbox ID" -Description "Restricted Access Group Policy" - AccessRight: Replace "RestrictAccess" with "DenyAccess" to deny access to the calendars in the security group and allow access to all other calendars. - AppId: Use the ID of deskbird's Calendar Sync application: "2136158e-a6bb-4e81-896d-5b898d0d2475" |
- Request the group identity (needed when mailboxes are added to the security group)
| 8 | $DG = Get-DistributionGroup -Identity "Enter Group Mailbox ID" |