How can I restrict DatabeatOMNI's application permissions to my Microsoft 365 resources mailbox?

Using PowerShell Online Exchange, you can restrict OMNI's application permissions with one simple command.

In PowerShell Online Exchange, it is possible to create a policy using this command:
New-ApplicationAccessPolicy -AppId [DatabeatOMNI Business AppID found in AAD] -PolicyScopeGroupId [] -AccessRight RestrictAccess -Description "Restrict read scope for DatabeatOMNI"

If you wish to test OMNI's application permissions, there is a simple command which will return "Denied" or "Granted" based on application permission in Azure Active Directory:
Test-ApplicationAccessPolicy -Identity [] -AppID [DatabeatOMNI Business AppID found in AAD]


Below, I will explain how to do so in simple steps:

  1. Connect to Exchange Online Powershell, for details about how to do this, take a look at Microsoft's guide on Connect to Exchange Online Powershell.
  2. Identify the app's client ID and a mail-enabled security group to restrict the app's access to.
    1. Identify the app's application (client) ID in the Azure App registration portal.
    2. Create a new mail-enabled security group or use an existing one and identify the email address for the group.
  3. Create an application access policy by running the following command, replacing the arguments for AppId, PolicyScopeGroupId and Description.
    New-ApplicationAccessPolicy -AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b -PolicyScopeGroupId -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group EvenUsers."
  4. Test the newly created application access policy by running the following command, replacing the arguments for Identity and AppId.
    Test-ApplicationAccessPolicy -Identity -AppId e7e4dbfc-046-4074-9b3b-2ae8f144f59b

Note: Changes to application access policies can take longer than 1 hour to take effect in Microsoft Graph REST API calls, even when Test-ApplicationAccessPolicy shows positive results.


If you wish to learn more about restricting access through access policies, head over to Microsoft's documentation