Control access to calendars
Control access with a mail-enabled security group and an Application Access Policy
Granting consent during the onboarding process allows Graph API to get notifications from all calendars in a Microsoft 365 tenant. We recommend applying an Application Access Policy to restrict access to specific calendars only. The Application Access Policy can either allow or deny notifications to Graph API from members of a mail-enabled security group.
Two types of permissions can be applied to the Application Access Policy, depending on whether you wish to allow or deny access to the calendars of the users added to the mail-enabled security group.
a) Use DenyAccess to deny access to the calendars belonging to the group and allow access to all other user calendars.
b) Use RestrictAccess to allow access to the calendars belonging to the group and restrict access to all other calendars.
Learn more about New-ApplicationAccessPolicy at Microsoft https://docs.microsoft.com/en-us/powershell/module/exchange/new-applicationaccesspolicy?view=exchange-ps/
How is it done?
Use the following PowerShell scripts to create a new mail-enabled security group and create an Application Access Policy to restrict access to specific calendars.
- Sign in with your Microsoft 365 Admin account and run the following scripts to create the session.
Set-ExecutionPolicy RemoteSigned $UserCredential = Get-Credential Connect-ExchangeOnline -Credential $UserCredential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session -AllowClobber
- Create a new mail-enabled security group to manage the calendars that you will either allow or deny access to.
New-DistributionGroup -Name "Enter the name of new security group" -Alias "Enter the Alias" -Type security
- Create an Application Access Policy for the mail-enabled security group.
New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId "Enter Token Provider AD App ID" -PolicyScopeGroupId "Enter Email Enabled Security Group Mailbox ID" -Description "Restricted Access Group Policy"
-AccessRight: Replace “RestrictAccess” with “DenyAccess” to deny access to the calendars in the security group and allow access to all other calendars.
-AppId: To find your Token Provider AD App ID run
Get-AzureADApplication -Filter "DisplayName eq 'Condeco Smart Calendar'"
Microsoft 365 takes at least one hour to replicate changes to the Application Access Policy.
Condeco Microsoft 365 integration home