How can I restrict DatabeatOMNI's application permissions to my Microsoft 365 resources mailbox?

Using PowerShell Online Exchange, you can restrict OMNI's application permissions with one simple command.

In PowerShell Online Exchange, it is possible to create a policy using this command:
New-ApplicationAccessPolicy -AppId [DatabeatOMNI Business AppID found in AAD] -PolicyScopeGroupId [groupname@tenant.com] -AccessRight RestrictAccess -Description "Restrict read scope for DatabeatOMNI"

If you wish to test OMNI's application permissions, there is a simple command which will return "Denied" or "Granted" based on application permission in Azure Active Directory:
Test-ApplicationAccessPolicy -Identity [Resource@tenant.com] -AppID [DatabeatOMNI Business AppID found in AAD]

Below, I will explain how to do so in simple steps:

1. Connect to Exchange Online Powershell, for details about how to do this, take a look at Microsoft's guide on Connect to Exchange Online Powershell.
2. Identify the app's client ID and a mail-enabled security group to restrict the app's access to.
   1. Identify the app's application (client) ID in the Azure App registration portal.
   2. Create a new mail-enabled security group or use an existing one and identify the email address for the group.
3. Create an application access policy by running the following command, replacing the arguments for AppId, PolicyScopeGroupId and Description.
   New-ApplicationAccessPolicy -AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b -PolicyScopeGroupId EvenUsers@contoso.com -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group EvenUsers."
4. Test the newly created application access policy by running the following command, replacing the arguments for Identity and AppId.
   Test-ApplicationAccessPolicy -Identity user1@contoso.com -AppId e7e4dbfc-046-4074-9b3b-2ae8f144f59b