When connecting Outlook to Tekst via a service account, the integration is granted access to all mailboxes within your tenant by default. This guide explains how administrators can restrict access to only the specific mailboxes that are relevant for use with Tekst.
Prerequisites
- Administrator access to your Azure environment
- Exchange Online PowerShell module installed
- A mail-enabled security group containing the mailboxes Tekst should access
Configure an Application Access Policy
Step 1: Connect to Exchange Online PowerShell
Open PowerShell and connect to Exchange Online:
Connect-ExchangeOnline
For details, see Microsoft's guide on how to connect to Exchange Online PowerShell.
Step 2: Identify the App Client ID and Security Group
You will need the following information:
-
Application (client) ID:
b2094c09-0651-49c4-b2c2-ed3b739e2a8c -
Mail-enabled security group: Create a new mail-enabled security group or use an existing one. Add only the mailboxes that Tekst should be able to access. All other mailboxes in the tenant will be excluded. Note down the group's email address to use as the
PolicyScopeGroupId.
Step 3: Create the Application Access Policy
Run the following command, replacing PolicyScopeGroupId with your security group's email address and Description with a meaningful description:
New-ApplicationAccessPolicy `
-AppId b2094c09-0651-49c4-b2c2-ed3b739e2a8c `
-PolicyScopeGroupId <your-group@yourdomain.com> `
-AccessRight RestrictAccess `
-Description "Restrict Tekst app to members of the security group"
Step 4: Test the Application Access Policy
Verify the policy works correctly by testing it against a specific user mailbox:
Test-ApplicationAccessPolicy `
-Identity <user@yourdomain.com> `
-AppId b2094c09-0651-49c4-b2c2-ed3b739e2a8c
The output will indicate whether the app has access to the specified user's mailbox. Test with both a user inside and outside of the security group to confirm the policy is applied correctly.
Troubleshooting
PowerShell Version Errors
If you encounter errors related to your PowerShell version, update to the latest version. The Exchange Online PowerShell module requires PowerShell version 3.0 or higher. Check your version by running:
$PSVersionTable.PSVersion
Refer to Microsoft's official documentation for installation instructions.
Policy Not Taking Effect
Application access policies may take up to 30 minutes to propagate. If the policy does not seem to be working after creation, wait and test again.
Reference
This guide is based on Microsoft's documentation on limiting application permissions to specific mailboxes.