Table of context
- How to find skybow Exchange connector Application ID
- How to set ApplicationAccessPolicy
- How to remove ApplicationAccessPolicy
The skybow Send email action in Scheduled/Triggered actions requires approval of the skybow Exchange Connector and set an email address of the sender. In order to limit access to a specific mailbox you can use application access policies. The New-ApplicationAccessPolicy cmdlet in PowerShell provides administrators with a flexible and efficient way to implement access control policies for applications.
This article explores how to use New-ApplicationAccessPolicy and restrict access to skybow Exchange connector by a specific set of mailboxes.
1. How to find skybow Exchange connector Application ID
Open portal.azure.com and select Microsoft Entra ID in the left navigation. Select Enterprise applications and search for "skybow Exchange connector"
Open this application and copy the Application ID.
2. How to set ApplicationAccessPolicy
1. First, you need to install the ExchangeOnlineManagement PowerShell module and connect with admin credentials. Run Windows PowerShell with administrator rights and insert the following PowerShell commands:
Install-Module ExchangeOnlineManagement
Connect-ExchangeOnline
2. Then you can restrict access using the New-ApplicationAccessPolicy cmdlet. This requires the Application id of the app registration, permissions you want to set, and the email address(es) you want to limit to. These changes may take up to 30 minutes.
Note: for the case of more than one email you can create mail-enabled security group and pass email address of the group
New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId "4ef019f4-e6a1-4fa6-ae1c-c55f0922ff50" -PolicyScopeGroupId "AlexW@M365x69839084.OnMicrosoft.com" -Description "Restrict app permissions to allow access to the mailbox that's specified by the PolicyScopeGroupID parameter"
AccessRight - this parameter specifies the restriction type that you want to assign in the application access policy. Valid values are: RestrictAccess or DenyAccess
AppId - the Identity parameter specifies the GUID of the apps to include in the policy.
Description - this parameter specifies a description for the policy
PolicyScopeGroupID - this parameter specifies the recipient to define in the policy
In this case if you set an email address of the sender different from application policy you will receive an error in the history logs.
Use the Get-ApplicationAccessPolicy cmdlet to view the list of application access policies.
Get-ApplicationAccessPolicy | Format-List Identity,Description,ScopeName,AccessRight,AppID
3. How to remove ApplicationAccessPolicy
You can use the Remove-ApplicationAccessPolicy cmdlet to remove application access policies. These changes may take up to 30 minutes
Remove-ApplicationAccessPolicy -Identity "596ade3a-1abe-4c5b-b7d5-a169c4b05d4a\7a774f0c-7a6f-11e0-85ad-07fb4824019b:S-1-5-21-724521725-2336880675-2689004279-1821338;8b6ce428-cca2-459a-ac50-d38bcc932258"
Identity - this parameter specifies the application access policy that you want to remove