Limiting Azure AD App Permissions to Specific Mailboxes

Restrict application access to only the mailboxes being migrated.

Last updated: 2025-01-15 How To

Overview

By default, Azure AD applications with full_access_as_app permission can access all mailboxes in your tenant. This guide shows how to restrict access to only specific mailboxes using ApplicationAccessPolicy.

Use Case

Limit Cloudiway's access to only the mailboxes that need to be migrated, rather than granting access to all mailboxes in the organization.

Permission Restriction Flow

📧

All Mailboxes

Default access

→

👥

Security Group

Define scope

→

✓

Limited Access

Only members

Requirements

Before You Begin

• Exchange Online PowerShell module installed
• Exchange Administrator or Global Administrator role
• Azure AD application ID (Client ID) from your app registration
• Mail-enabled security group containing target mailboxes

Step 1: Create Security Group

Create Mail-Enabled Security Group

Create a security group and add all mailboxes that Cloudiway should access:

Via Microsoft 365 Admin Center

1. Go to Groups → Active groups
2. Click "Add a group"
3. Select "Mail-enabled security"
4. Name the group (e.g., "Cloudiway Migration Scope")
5. Add members (mailboxes to be migrated)

Step 2: Create Application Access Policy

PowerShell Commands

Connect to Exchange Online

Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com

Create the Policy

New-ApplicationAccessPolicy `
  -AppId "YOUR-APPLICATION-ID" `
  -PolicyScopeGroupId "CloudiwayMigrationScope@yourdomain.com" `
  -AccessRight RestrictAccess `
  -Description "Restrict Cloudiway to migration mailboxes only"

Parameters Explained

AppId: The Application (Client) ID from Azure AD app registration
PolicyScopeGroupId: Email address of your security group
AccessRight: Use RestrictAccess to limit to group members only

Propagation Time

The policy may take up to 30 minutes to take effect across all Exchange Online servers.

Step 3: Test the Policy

Verify Access Restrictions

Test Access to a Mailbox

Test-ApplicationAccessPolicy `
  -Identity user@yourdomain.com `
  -AppId "YOUR-APPLICATION-ID"

Expected Results

✓ AccessCheckResult: Granted - User is in the security group
✗ AccessCheckResult: Denied - User is NOT in the security group

View All Policies

Get-ApplicationAccessPolicy

Managing the Policy

To remove the policy later, use: Remove-ApplicationAccessPolicy -Identity "PolicyId"

Limiting Azure AD App Permissions to Specific Mailboxes

Overview

Use Case

Permission Restriction Flow

Requirements

Before You Begin

Step 1: Create Security Group

Create Mail-Enabled Security Group

Via Microsoft 365 Admin Center

Step 2: Create Application Access Policy

PowerShell Commands

Connect to Exchange Online

Create the Policy

Parameters Explained

Propagation Time

Step 3: Test the Policy

Verify Access Restrictions

Test Access to a Mailbox

Expected Results

View All Policies

Managing the Policy

Related Articles

We value your feedback

I didn't find what I was looking for

I have a suggestion

Request an improvement

General feedback

Thank you!

Essential

Analytics

YouTube Videos