Restrict Domain-Wide Authorization to a Microsoft 365 Security Group

Limit CalendarBridge’s application access to only the members of a mail-enabled security group, using an Exchange Online application access policy.

C Chad Updated January 10, 2024 1 min read

Steps

  1. In the Exchange admin console, create a mail-enabled security group that includes the users you want to allow CalendarBridge to access.
  2. Run PowerShell as administrator.
  3. Run these commands:
    1. Install-Module -Name ExchangeOnlineManagement
    2. Import-Module ExchangeOnlineManagement
      • If you get an error that running scripts is disabled, run Set-ExecutionPolicy RemoteSigned.
      • Once done, you can set it back with Set-ExecutionPolicy Restricted.
    3. Connect-ExchangeOnline -UserPrincipalName <email address of Exchange Online admin>
    4. New-ApplicationAccessPolicy -AppId a0dc78e0-066a-4aeb-b1e6-0f3efa277ed3 -PolicyScopeGroupId <name of mail-enabled security group> -AccessRight RestrictAccess -Description "Restrict CalendarBridge to only members of <name of mail-enabled security group>."
    5. Test-ApplicationAccessPolicy -Identity <email address of user in group> -AppId a0dc78e0-066a-4aeb-b1e6-0f3efa277ed3 — this should return “granted.”
    6. Test-ApplicationAccessPolicy -Identity <email address of user NOT in group> -AppId a0dc78e0-066a-4aeb-b1e6-0f3efa277ed3 — this should return “denied.”