Exchange Online (EXO) limiting application permissions

This article describes how you can limit application permissions by applying an application policy. This can be useful when you have for example a desktop application that connects to Exchange Online and sends emails using Modern Authencation with a client secret.

Earlier you've registered an application (app registrations) in the Azure portal that uses a client secret allowing your application to connect with Exchange Online (EXO).

In many cases it might be recommened to limit the accounts from which the application can email.

We won't go into detail about this, but just give you the impetus to get you started on configuring this further.

Limiting EXO and applying an application policy can (only) be configured by using PowerShell.


  1. Install PowerShell [1] if not yet installed.
    (In this example we are using PowerShell version 7.2.7. Run the command $PSVersionTable to see your PS version)


  2. Install the Exchange Online PowerShell module or run the PowerShell command Install-Module -Name ExchangeOnlineManagement
  3. Run cmdlet Connect-ExchangeOnline to connect to EXO via PowerShell.
    This will open a browser to select an account and login.
    A message Authentication complete. You can return to the application. Feel free to close this browser tab. might appear.


  4. Open EAC (Exchange Admin Center) and navigate to Recipients > Groups > Main-enabled security.
  5. Find a group name to use in the Mail-enabled security or create a new group. This group will be used to restrict access
    1. Click Add a group.
    2. Select the Mail-enabled security option and click Next.
    3. For Name: use WinkingPrintandShareSecureGroup and Description: use fill in Limit the Winking Print&Share application to only email as specific users.
      Click Next.
    4. Assign group owners by clicking Assign owners and after this click Next.
    5. Assign group members by clicking Add members. This will be the email account(s) who are allowed to send emails in the Winking PrintandShare application we've created in Azure.
    6. Enter the group email address, check and modify the *Communication and Approval settings to your needs and click Next.
    7. Review and finish adding group and click Create group.
    8. You should now see the Mail-enabled security group called WinkingPrintandShareSecureGroup in ECA > Recipients > Groups > Mail-enabled security.
  6. In PowerShell run cmdlet
    New-ApplicationAccessPolicy -AppId <ApplicationClientID> -PolicyScopeGroupId <MailEnabledSecurityGroup> -AccessRight RestrictAccess -Description "<ADescriptionHere>"
    Parameter is your Client ID from the Winking PrintandShare app in Azure.
    Parameter is the name of the Mail-enabled security group you've just created in EAC or one that already exists.
    In our case it might be something like:
    New-ApplicationAccessPolicy -AppId 6x9745fgj-92j4-5a3c-6641-66hd6hfj2a3c -PolicyScopeGroupId WinkingPrintandShareSecureGroup -AccessRight RestrictAccess -Description "Limit the Winking Print&Share application to only email as specific users"

If all is fine we've now applied an application access policy.

Verifying the configuration

Use this cmdlet to get an overview of the application access policies:

Modify the description with the following command:
Set-ApplicationAccessPolicy -identity "<VeryLongIdHere>" -Description "Foo bar"
(You can get identity parameter by first executing the Get-ApplicationAccessPolicy cmdlet.)

You can test the application access policy by running the cmdlet:
Test-ApplicationAccessPolicy -AppId <AzureApplicationClientId> -Identity <emailToTest>

For example:

Test-ApplicationAccessPolicy -AppId 6x9745fgj-92j4-5a3c-6641-66hd6hfj2a3c -Identity

Now try with another account

You will see that the AccessCheckResult: should be Granted for email accounts that you test who are a member of your Mail-enabled security group called WinkingPrintandShareSecureGroup.

Users who are not a member of the WinkingPrintandShareSecureGroup mail-enabled security group should see Denied as status for AccessCheckResult.

Removing a policy can be done via Remove-ApplicationAccessPolicy -Identity "<identity>".
These changes may take up to 30 minutes to go live.

See also