1. Overview
  2. Nextcloud Exchange Connector
  3. Restricting App Access to Specific Users (Graph API)

Restricting App Access to Specific Users (Graph API)

By default, assigning the full_access_as_app permission grants your Microsoft Entra application access to all mailboxes within your tenant. To follow the principle of least privilege, you can create an ApplicationAccessPolicy in Exchange Online.

This policy restricts the application's access strictly to users within a designated Mail-Enabled Security Group, preventing the connector from interacting with unauthorized mailboxes.

Note: All commands in this guide must be executed in PowerShell with Administrator privileges. Ensure you have the necessary Exchange Online administrative rights before proceeding.

Step 1. Connect to Exchange Online

First, import the required module and authenticate with your Microsoft 365 tenant.

Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline

Step 2. Create a Mail-Enabled Security Group

Warning: Group Type Restriction

Standard Microsoft Entra ID (Azure AD) security groups or Microsoft 365 groups are not supported for this specific policy. You must explicitly create a Mail-Enabled Security Group.

Run the following command to create the group:

New-DistributionGroup -Name "Sendent Sync Group" -Alias "sendentsyncgroup" -Type Security

Step 3. Add Users to the Group

You must add the specific users whose calendars and contacts will be synchronized by the connector

$users = "user1@domain.com", "user2@domain.com"
foreach ($user in $users) {
    Add-DistributionGroupMember -Identity "sendentsyncgroup@domain.onmicrosoft.com" -Member $user
}

(Ensure you replace the domain in the -Identity parameter with your actual tenant domain).

Step 4. Create the Application Access Policy

Link your registered App ID to the group you just created. This explicitly denies access to anyone outside of the group.

New-ApplicationAccessPolicy `
  -AppId "your-app-id" `
  -PolicyScopeGroupId "sendentsyncgroup@domain.onmicrosoft.com" `
  -AccessRight RestrictAccess `
  -Description "Restrict Sendent Exchange Connector access to specific group only"

Step 5. Verify and Test the Policy

To confirm the policy was created successfully, retrieve it using your App ID:

Get-ApplicationAccessPolicy | Where-Object { $_.AppId -eq "your-app-id" }

You can actively test if the restrictions are working using the Test-ApplicationAccessPolicy command.

Test a user INSIDE the group (Expected result: Granted):

Test-ApplicationAccessPolicy -Identity "user1@domain.com" -AppId "your-app-id"

Test a user OUTSIDE the group (Expected result: Denied):

Test-ApplicationAccessPolicy -Identity "other-user@domain.com" -AppId "your-app-id"

Removing the Policy

If you ever need to disable this restriction and delete the policy:

  • Find the Policy ID using the command below:

Get-ApplicationAccessPolicy | Where-Object { $_.AppId -eq "your-app-id" }

  • Run the following command:

Remove-ApplicationAccessPolicy -Identity "Your-Policy-Guid-Here" -Confirm:$false

Important Considerations & Troubleshooting

  • Propagation Delay: Microsoft 365 policies do not apply instantly. It can take anywhere from 1 hour to 24 hours for the policy to fully propagate and take effect across your tenant.

  • Management Limitations: Because this is a Mail-Enabled Security Group created via Exchange Online, you can only manage its membership through PowerShell or the Exchange Admin Center. You cannot edit its membership directly in the standard Azure/Entra Portal.

  • Visualizing the Group: Although you cannot edit it in the Entra Portal, you can still visually confirm the members by navigating to Entra ID > Groups > [Search for your group] > Members.

Last updated April 8, 2026
Was this article helpful?