Restrict Promodag application access to the content of specific mailboxes

If you use the certificate-based authentication to Office 365, the full_access_as_app authorization grants by default the Promodag Reports application published in Microsoft Intra ID access to all mailboxes in the Office 365 tenant. You can restrict the scope to a group of mailboxes by following this procedure.

Create a mail-enabled security group

The first step is to create a mail-enabled security group in the Microsoft 365 administration center.
All mailboxes to be analyzed by content reports in Promodag Reports will be added as members.

Create a new Application Access Policy

Next, create an access policy for the Promodag Reports application using this command, which uses the application ID and the group’s email address:

New-ApplicationAccessPolicy -AppId <application ID> -PolicyScopeGroupId <email address of the group> -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group xxx."

The application ID can be found in Promodag Reports in the Office 365 configuration tab of Tools > Options.

Finally, we will test that the policy has been correctly applied with this command, which will be applied to a mailbox that is not a member of the security group:

Test-ApplicationAccessPolicy -Identity <mailbox email address> -AppId <application ID>

Note: Changes to application access policies may take more than an hour to take effect, even if the test results are positive.

Related article: Configure certificate-based authentication to Office 365

 

Try Promodag Reports Free for 45 Days

Start your free trial

Cookie Notice

Find out more about how this website uses cookies to enhance your browsing experience.