This guide shows you how to restrict the access of the "Ebsta EWS Service" to a certain group of users.
This is useful if you only want Ebsta to have access to certain mailboxes.
You will need PowerShell access to your tenant to do this.
Step 1: Connect to Exchange Online
PowerShell
Connect-ExchangeOnline -Organization mydomain.onmicrosoft.com
Step 2: Create a Mail-Enabled Security Group
Create the Group:
PowerShell
New-DistributionGroup -Name "ebsta-EWS-SA-users" -Alias "ebstaEWSUsers" -Type Security
Enable Mail for the Group:
PowerShell
Set-DistributionGroup -Identity "ebsta-EWS-SA-users" -EmailAddresses SMTP:ebstaEWSUsers@mydomain.com
Verify the Group Creation:
PowerShell
Get-DistributionGroup -Identity "ebsta-EWS-SA-users"
Now add the users to the group in Exchange Admin.
Step 3: Grant Application Access Policy
Find the App ID of your "Ebsta EWS Service Account":
PowerShell
Get-ServicePrincipal -DisplayName "Ebsta EWS Service"
Create the Application Access Policy:
PowerShell
New-ApplicationAccessPolicy -AppId "<App-ID>"
-PolicyScopeGroupId "ebsta-EWS-SA-users"
-Description "Restrict Ebsta EWS app to only users in ebsta-EWS-SA-users group"
-AccessRight RestrictAccess
Step 4: Verify the Policy
PowerShell
Get-ApplicationAccessPolicy -AppId "<App-ID>"
Step 5: Test the Policy
PowerShell
Test-ApplicationAccessPolicy -Identity "user@mydomain.com" -AppId "<App-ID>"
The output should confirm if the user is allowed or denied access based on their group membership.