You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: exchange/exchange-ps/exchange/New-ApplicationAccessPolicy.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,7 +14,7 @@ ms.reviewer:
14
14
## SYNOPSIS
15
15
This cmdlet is available only in the cloud-based service.
16
16
17
-
Use the New-ApplicationAccessPolicy cmdlet to restrict or deny access for an application that is using Outlook REST APIs, Microsoft Graph APIs or the EWS APIs to a specific set of mailboxes. These policies are complementary to the permission scopes that are declared by the application.
17
+
Use the New-ApplicationAccessPolicy cmdlet to restrict or deny access to a specific set of mailboxes by an application that uses APIs (Outlook REST, Microsoft Graph, or Exchange Web Services (EWS)). These policies are complementary to the permission scopes that are declared by the application.
18
18
19
19
**Note**: We recommend that you use the Exchange Online PowerShell V2 module to connect to Exchange Online PowerShell. For instructions, see [Connect to Exchange Online PowerShell](https://docs.microsoft.com/powershell/exchange/connect-to-exchange-online-powershell).
You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see [Find the permissions required to run any Exchange cmdlet](https://docs.microsoft.com/powershell/exchange/find-exchange-cmdlet-permissions).
35
35
36
-
A limited number of policies can be created per Microsoft 365 tenant. Each tenant has a fixed amount of space for these policies. An error message stating "The total size of App Access Policies exceeded the limit." will be displayed if the amount of space is consumed. To maximize the number of policies you can create, set a blank one charachter description to avoid an auto-generated description consuming additional space. By doing this, tenants should expect to be able to create aproximately 300 policies (versus a previous limit of 100 policies).
36
+
You can create a limited number of policies in your organization based on a fixed amount of space. If your oganization runs out of space for these policies, you'll see the error: "The total size of App Access Policies exceeded the limit." To maximize the number of policies and reduce the amount of space that's consumed by the policies, set a one space charachter description for the policy. This method will allow aproximately 300 policies (versus a previous limit of 100 policies).
37
37
38
-
While the scope-based resource access like Mail.Read or Calendar.Read is effective to ensure that the application can only read mails or events within a mailbox and not do anything else; Application Access Policy feature allows admins to enforce limits that are based on a list of mailboxes. For example, in a global organization apps developed for one country shouldn't have access to data from other countriesor a CRM integration application should only access calendar of the Sales organization and no other departments.
38
+
While scope-based resource access like Mail.Read or Calendar.Read is effective to ensure that the application can only read email or events within a mailbox and not do anything else, application access policies allow admins to enforce limits that are based on a list of mailboxes. For example, apps developed for one country shouldn't have access to data from other countries. Or, or a CRM integration application should only access calendars in the Sales organization and no other departments.
39
39
40
40
Every API request using the Outlook REST APIs or Microsoft Graph APIs to a target mailbox done by an application is verified using the following rules (in the same order):
41
41
@@ -61,15 +61,15 @@ This example creates a new application access policy with the following settings
61
61
62
62
### Example 2
63
63
```powershell
64
-
New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId "e7e4dbfc-046f-4074-9b3b-2ae8f144f59b" -PolicyScopeGroupId [email protected] -Description "Restrict this app to members of security group EvenUsers."
64
+
New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId "e7e4dbfc-046f-4074-9b3b-2ae8f144f59b" -PolicyScopeGroupId [email protected] -Description "Restrict this app's access to members of security group EvenUsers."
65
65
```
66
66
67
67
This example creates a new application access policy with the following settings:
- Description: Restrict this app to only access members of security group EvenUsers.
72
+
- Description: Restrict this app's access to members of security group EvenUsers.
73
73
74
74
### Example 3
75
75
```powershell
@@ -86,10 +86,10 @@ This example creates a new application access policy with the following settings
86
86
## PARAMETERS
87
87
88
88
### -AccessRight
89
-
The AccessRight parameter specifies the restriction type that you want to assign in the application access policy. RestrictAccess allows the associated app to only access data associated with mailboxes in the PolicyScopeGroupID. DenyAccess allows the associated app to only access data not associated with mailboxes in the PolicyScopeGroupID. Valid values are:
89
+
The AccessRight parameter specifies the restriction type that you want to assign in the application access policy. Valid values are:
90
90
91
-
- RestrictAccess
92
-
- DenyAccess
91
+
- RestrictAccess: Allows the associated app to only access data that's associated with mailboxes specified by the PolicyScopeGroupID parameter.
92
+
- DenyAccess: Allows the associated app to only access data that's not associated with mailboxes specified by the PolicyScopeGroupID parameter.
0 commit comments