Limit access to mailboxes

To enhance security and control over UMA's access to Microsoft 365, we allow organisations to limit access to specific users and resources.

This setup is optional, and UMA will function as expected without changes if the existing authorisation process has been applied.

We only access data configured by you via our admin portal, including users, room calendars and security groups.

Create a mail enabled security group

Add resources and mailboxes

Add all users and resources intended for use in UMA.

Connect with PowerShell

Launch PowerShell and connect using modern authentication:

Connect-ExchangeOnline -UserPrincipalName {Microsoft 365 admin email address}

Apply application access policy

Apply the application access policy to the UMA Vision enterprise application using the provided script:

New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId "bea520a4-6256-441d-90af-37598ba710fd" -PolicyScopeGroupId "mail_enabled_security_email -Description "Restrict UMA to members of Mail Enabled Security Group (mail_enabled_security_name)."

Parameters:

AppId: UMA Vision enterprise application ID.
mailenabledsecurityemail: Email address set up in Step 1.
Description: A description of the policy.

Test the policy

Test the newly created application access policy:

Test-ApplicationAccessPolicy -Identity {EmailAddressInGroup} -AppId bea520a4-6256-441d-90af-37598ba710fd

An AccessCheckResult of "Granted" should be displayed.

Test-ApplicationAccessPolicy -Identity {EmailAddressNotInGroup} -AppId bea520a4-6256-441d-90af-37598ba710fd

An AccessCheckResult of "Denied" should be displayed.

Changes to application access policies may take over 1 hour to take effect with Microsoft Graph REST API calls. Even if Test-ApplicationAccessPolicy shows positive results.

PreviousMicrosoft 365 permissions NextOAuth authentication flow

Last updated 4 months ago