(Optional) Application Access Policies

Create a security group to limit resources and mailboxes that Space Connect can access.

Space Connect has always used Enterprise Applications to connect to Microsoft O365 Cloud Services. Whilst this is the Microsoft recommended mechanism it has lacked the granular permissions that were possible with on-prem impersonated accounts.  

Whilst impersonation did enable tighter control of accessible mailboxes it also opened the potential for numerous security loopholes and was not the recommended approach by Microsoft.

In February 2022, Microsoft announced the introduction of Application Access Policies for Enterprise Applications, bringing more granular control of mailboxes and resources.

Note: This is an optional setup and the software will continue to work as expected if no change is made and the How to Authorise Space Connect Access is only completed.


We only ever access data that is configured by you via our admin panel.  This includes, but is not limited to, users, room calendars and security groups. 

Full details of Application Access Policies can be found here.

Step 1:

Login to O365 Admin and create a Mail Enabled Security group in O365 admin and make a note of the email address assigned to the group, you will need it later. 

Step 2: 

Add all rooms and user accounts that you want Space Connect to be able to access.

Note: ALL mailboxes need to be included in the security group that you want to be able to use with Space Connect, this includes user email addresses.

Step 3:

Launch PowerShell and connect using modern authentication.

Connect-ExchangeOnline -UserPrincipalName {O365 admin email address}

If this step does not work, then read the following guide that configures your PowerShell environment for modern authentication. 

Step 4: 

Apply Application Access Policy to Space Connect Legacy Enterprise Application using the below script.

New-ApplicationAccessPolicy -AppId c3f87673-cff8-469e-b416-548c92def070 -PolicyScopeGroupId {mailenabledsecurityemail} -AccessRight RestrictAccess -Description "Restrict SpaceConnect to members of distribution group {mailenabledsecurityemail}."

Note:

AppId = The Space Connect Legacy Application ID

mailenabledsecurityemail = The email address that was set up in Step 1

Description = A description of the policy. 

Step 5: 

Test the newly created Application Access Policy 

Test-ApplicationAccessPolicy -Identity {EmailAddressInGroup} -AppId c3f87673-cff8-469e-b416-548c92def070 

An AccessCheckResult of Granted will be displayed. 

 

Test-ApplicationAccessPolicy -Identity {EmailAddressNotInGroup} -AppId c3f87673-cff8-469e-b416-548c92def070 

An AccessCheckResult of Denied will be displayed. 

 Changes to application access policies can take longer than 1 hour to take effect in Microsoft Graph REST API calls, even when Test-ApplicationAccessPolicy shows positive results. 

Step 6:

That's it!

The Space Connect Legacy Enterprise Application will now only be able to access the resources/mailboxes that are specified in the Mail Enabled Security group.