# Limit access to mailboxes

To enhance security and control over UMA's access to Microsoft 365, we allow organisations to limit access to specific users and resources. This setup is optional, and UMA will function as expected without changes if the existing authorisation process has been applied. We only access data configured by you via our admin portal, including users, room calendars and security groups. ### **Create a mail enabled security group** Login to Microsoft 365 and create a mail enabled security group. ### **Add resources and mailboxes** Add all users and resources intended for use in UMA. ### **Connect with PowerShell** Launch PowerShell and connect using modern authentication: ```powershell Connect-ExchangeOnline -UserPrincipalName {Microsoft 365 admin email address} ``` ### **Apply application access policy** Apply the application access policy to the UMA Vision enterprise application using the provided script: ```powershell New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId "bea520a4-6256-441d-90af-37598ba710fd" -PolicyScopeGroupId "mail_enabled_security_email -Description "Restrict UMA to members of Mail Enabled Security Group (mail_enabled_security_name)." ``` Parameters: * AppId: UMA Vision enterprise application ID. * mailenabledsecurityemail: Email address set up in Step 1. * Description: A description of the policy. ### **Test the policy** Test the newly created application access policy: ```powershell Test-ApplicationAccessPolicy -Identity {EmailAddressInGroup} -AppId bea520a4-6256-441d-90af-37598ba710fd ``` An AccessCheckResult of "Granted" should be displayed. ```powershell Test-ApplicationAccessPolicy -Identity {EmailAddressNotInGroup} -AppId bea520a4-6256-441d-90af-37598ba710fd ``` An AccessCheckResult of "Denied" should be displayed. {% hint style="info" %} Changes to application access policies may take over 1 hour to take effect with Microsoft Graph REST API calls. Even if Test-ApplicationAccessPolicy shows positive results. {% endhint %}