Return
-
Title
HOW TO: Limit access to a single mailbox when sending a mail notification -
Description
In addition to using Exchange Online with Modern Auth in a Mail Configuration (https://support.oneidentity.com/active-roles/kb/4370637), mail notification in Active Roles can be limited to a single mailbox. -
Resolution
1. Connect to Exchange Online PowerShell. For details, see Connect to Exchange Online PowerShell.
2. Identify the app’s client ID and a mail-enabled security group to restrict the app’s access to.
- Identify the app’s application (client) ID in the Azure app registration portal created on step 2 as per the following KB4370637;
- Create a new mail-enabled security group or use an existing one and identify the email address for the group;
- Add the mailbox used for sending mail notifications as a member of that mail-enabled security group;
3. Create an application access policy by running the following command, replacing the arguments for AppId, PolicyScopeGroupId, and Description if desired.
New-ApplicationAccessPolicy -AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b -PolicyScopeGroupId GroupEmailAddress@domain.com -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group"
4. Test the newly created application access policy by running the following command, replacing the arguments for Identity and AppId.
Test-ApplicationAccessPolicy -Identity user1@domain.com -AppId e7e4dbfc-046-4074-9b3b-2ae8f144f59b
The output of this command will indicate whether the app has access to Active Roles mailbox.
Note: Changes to application access policies can take longer than 1 hour to take effect. For further assistance on this please please refer to the following Microsoft article or contact Microsoft.