- Setup
- Reference
When to Use This
By default, Microsoft Graph application permissions grant access to all users in your tenant. Use Application Access Policies to restrict Parable’s access to a specific group of users.
Overview
This guide walks you through restricting your existing Microsoft 365 integration to only access data from a defined subset of users — such as a specific team or department.Prerequisite: Complete the standard App Registration setup first. This guide adds restrictions to an existing app registration.
The Approach
You can’t limit permissions during token creation. Instead, you:- Create a mail-enabled security group containing the users Parable should access
- Apply an Application Access Policy that restricts your app to only that group
Setup Guide
1
Create a Mail-Enabled Security Group
- Go to Microsoft 365 admin center or Entra ID portal
- Navigate to Groups → Active groups
- Click Add a group
- Select Mail-enabled security as the group type
| Field | Value |
|---|---|
| Name | Parable-Access-Group |
| Description | Users accessible by Parable integration |
| Email address | parable-access@yourdomain.com |
- Add the users you want Parable to access as members
2
Connect to Exchange Online PowerShell
Open PowerShell as administrator and run:
3
Create the Application Access Policy
Run this command, replacing the placeholder values:
| Parameter | Value |
|---|---|
-AppId | Your app’s Client ID from Azure |
-PolicyScopeGroupId | Email address of your security group |
-AccessRight | RestrictAccess (enforces the limitation) |
The policy can take up to 30 minutes to become fully active.
4
Verify the Policy
Test access for users inside and outside the group: