Skip to main content

Restrict Tekst to specific mailboxes

Tekst Support

0 comments

When you connect an organization-wide Outlook account, Tekst is granted application-level access that can reach every mailbox in your tenant by default. This guide explains how an administrator can restrict that access to only the mailboxes that are relevant for Tekst.

This applies to organization-wide accounts only. A personal account is already limited to the mailboxes its signed-in user can reach, so no extra scoping is needed.

How scoping works

Microsoft lets you limit an application's mailbox access with an application access policy. The policy ties Tekst's application to a mail-enabled security group: Tekst can then access the mailboxes that are members of the group, and no others.

Note that application access policies are a long-standing Exchange Online feature that Microsoft is gradually replacing with Role Based Access Control (RBAC) for Applications. The steps below still work today; if your organization has standardized on App RBAC, you can scope the same application using that newer model instead.

Prerequisites

  • Administrator access to your Microsoft 365 / Exchange Online environment.
  • The Exchange Online PowerShell module installed.
  • A mail-enabled security group containing the mailboxes Tekst should access.

Step 1: Connect to Exchange Online PowerShell

Open PowerShell and connect to Exchange Online:

Connect-ExchangeOnline

For details, see Microsoft's guide on how to connect to Exchange Online PowerShell.

Step 2: Identify the app client ID and security group

You will need the following:

  • Application (client) ID of the Tekst Outlook application: b2094c09-0651-49c4-b2c2-ed3b739e2a8c
  • Mail-enabled security group: create a new mail-enabled security group or use an existing one, and add only the mailboxes Tekst should access. All other mailboxes in the tenant will be excluded. Note the group's email address to use as the PolicyScopeGroupId.

Step 3: Create the application access policy

Run the following, replacing the group address with your security group and adjusting the description:

New-ApplicationAccessPolicy `
    -AppId b2094c09-0651-49c4-b2c2-ed3b739e2a8c `
    -PolicyScopeGroupId <your-group@yourdomain.com> `
    -AccessRight RestrictAccess `
    -Description "Restrict Tekst app to members of the security group"

Step 4: Test the application access policy

Verify the policy by testing it against specific mailboxes:

Test-ApplicationAccessPolicy `
    -Identity <user@yourdomain.com> `
    -AppId b2094c09-0651-49c4-b2c2-ed3b739e2a8c

The output indicates whether the app has access to that mailbox. Test with a user inside the group and a user outside it to confirm the policy behaves as expected.

Troubleshooting

PowerShell version errors

The Exchange Online PowerShell module requires PowerShell 3.0 or higher. Check your version:

$PSVersionTable.PSVersion

Refer to Microsoft's installation documentation if you need to update.

Policy not taking effect

Application access policies can take up to 30 minutes to propagate. If the policy does not seem to apply right after creation, wait and test again.

Reference

This guide is based on Microsoft's documentation on limiting application permissions to specific mailboxes.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Related articles

0 comments

Please sign in to leave a comment.