Scoped Access

Setup
Reference

When to Use This

By default, Microsoft Graph application permissions grant access to all users in your tenant. Use Application Access Policies to restrict Parable’s access to a specific group of users.

Overview

This guide walks you through restricting your existing Microsoft 365 integration to only access data from a defined subset of users — such as a specific team or department.

Prerequisite: Complete the standard App Registration setup first. This guide adds restrictions to an existing app registration.

The Approach

You can’t limit permissions during token creation. Instead, you:

Create a mail-enabled security group containing the users Parable should access
Apply an Application Access Policy that restricts your app to only that group

Application Access Policies require PowerShell — this cannot be configured in the Azure portal.

Setup Guide

Create a Mail-Enabled Security Group

Go to Microsoft 365 admin center or Entra ID portal
Navigate to Groups → Active groups
Click Add a group
Select Mail-enabled security as the group type

Field	Value
Name	`Parable-Access-Group`
Description	Users accessible by Parable integration
Email address	`parable-access@yourdomain.com`

A regular security group won’t work — it must be mail-enabled.

Add the users you want Parable to access as members

Connect to Exchange Online PowerShell

Open PowerShell as administrator and run:

# Install the module (first time only)
Install-Module -Name ExchangeOnlineManagement

# Import and connect
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName your-admin@yourdomain.com

Create the Application Access Policy

Run this command, replacing the placeholder values:

New-ApplicationAccessPolicy `
  -AppId "YOUR_CLIENT_ID" `
  -PolicyScopeGroupId "parable-access@yourdomain.com" `
  -AccessRight RestrictAccess `
  -Description "Restricts Parable to specified user group"

Parameter	Value
`-AppId`	Your app’s Client ID from Azure
`-PolicyScopeGroupId`	Email address of your security group
`-AccessRight`	`RestrictAccess` (enforces the limitation)

The policy can take up to 30 minutes to become fully active.

Verify the Policy

Test access for users inside and outside the group:

# Should return "Granted"
Test-ApplicationAccessPolicy `
  -Identity included.user@yourdomain.com `
  -AppId "YOUR_CLIENT_ID"

# Should return "Denied"
Test-ApplicationAccessPolicy `
  -Identity excluded.user@yourdomain.com `
  -AppId "YOUR_CLIENT_ID"

Managing the Policy

View Existing Policies

Get-ApplicationAccessPolicy | Format-List

Remove a Policy

Remove-ApplicationAccessPolicy -Identity "PolicyIdentity"

Update Group Membership

Simply add or remove users from your mail-enabled security group. Changes propagate automatically — no policy update needed.

Understanding Permission Types

Type	Description	Scoping
Delegated	Acts on behalf of a signed-in user	Inherently scoped to that user
Application	Acts with its own identity	Tenant-wide by default — use policies to restrict

Application Access Policies only affect Application permissions. They tell Microsoft: “Even though this app could access all mailboxes, only allow access to members of this group.”

Troubleshooting

Issue	Solution
Policy not taking effect	Wait up to 30 minutes for propagation
Test returns unexpected result	Verify user is in the correct group
Can’t create mail-enabled group	Ensure you have Exchange Online licenses
PowerShell connection fails	Verify admin credentials and MFA

Common Scenarios

Restricting to multiple teams

Add users from multiple teams to a single mail-enabled security group, or create multiple groups and apply separate policies.

Excluding specific users

Application Access Policies work as allowlists, not blocklists. Create a group containing only the users you want to include.

Connectors

When to Use This

Overview

The Approach

Setup Guide

Managing the Policy

View Existing Policies

Remove a Policy

Update Group Membership

Understanding Permission Types

Troubleshooting

Restricting to multiple teams

Excluding specific users

Additional Resources

Application Access Policies

New-ApplicationAccessPolicy

Connectors

When to Use This

​Overview

​The Approach

​Setup Guide

​Managing the Policy

​View Existing Policies

​Remove a Policy

​Update Group Membership

​Understanding Permission Types

​Troubleshooting

​Restricting to multiple teams

​Excluding specific users

​Additional Resources

Application Access Policies

New-ApplicationAccessPolicy

Overview

The Approach

Setup Guide

Managing the Policy

View Existing Policies

Remove a Policy

Update Group Membership

Understanding Permission Types

Troubleshooting

Restricting to multiple teams

Excluding specific users

Additional Resources