Using PowerShell Online Exchange, you can restrict OMNI's application permissions with one simple command.
In PowerShell Online Exchange, it is possible to create a policy using this command:
New-ApplicationAccessPolicy -AppId [DatabeatOMNI Business AppID found in AAD] -PolicyScopeGroupId [email@example.com] -AccessRight RestrictAccess -Description "Restrict read scope for DatabeatOMNI"
If you wish to test OMNI's application permissions, there is a simple command which will return "Denied" or "Granted" based on application permission in Azure Active Directory:
Test-ApplicationAccessPolicy -Identity [Resource@tenant.com] -AppID [DatabeatOMNI Business AppID found in AAD]
Below, I will explain how to do so in simple steps:
- Connect to Exchange Online Powershell, for details about how to do this, take a look at Microsoft's guide on Connect to Exchange Online Powershell.
- Identify the app's client ID and a mail-enabled security group to restrict the app's access to.
- Identify the app's application (client) ID in the Azure App registration portal.
- Create a new mail-enabled security group or use an existing one and identify the email address for the group.
- Create an application access policy by running the following command, replacing the arguments for AppId, PolicyScopeGroupId and Description.
New-ApplicationAccessPolicy -AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b -PolicyScopeGroupId EvenUsers@contoso.com -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group EvenUsers."
- Test the newly created application access policy by running the following command, replacing the arguments for Identity and AppId.
Test-ApplicationAccessPolicy -Identity firstname.lastname@example.org -AppId e7e4dbfc-046-4074-9b3b-2ae8f144f59b
Note: Changes to application access policies can take longer than 1 hour to take effect in Microsoft Graph REST API calls, even when Test-ApplicationAccessPolicy shows positive results.
If you wish to learn more about restricting access through access policies, head over to Microsoft's documentation.