Skip to main content

Limiting the Mailbox Scope

1

Create or Identify a Mail-Enabled Security Group

You’ll need a mail-enabled security group to define which mailboxes Ocean Security can Access. You can either:

Action required

  • Identify the email address of this group (you’ll use this later in the setup)
  • Ensure that the communication check-box is turned off and approval checkbox is turned on for security and control
2

Restrict App Permissions Using PowerShell

To limit Ocean Security’s access to only the mailboxes within your selected security group, follow these PowerShell steps:

Prerequisites

  • Ensure you have Exchange Online PowerShell installed and can connect (See Microsoft’s guide for setup details)
  • Have Ocean’s App ID: 
    `xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx`

Command to Restrict Access

Run the following command, replacing the placeholderrs with your details (AppId has already been replaced with Ocean’s App ID):
PowerShell
New-ApplicationAccessPolicy -AppId "xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx" `
-PolicyScopeGroupId GroupEmail@yourdomain.com -AccessRight `
RestrictAccess -Description "Restrict this app to member of GroupEmail@yourdomain.com"
NoteAfter successfully running the command you’ll receive an identity (long id) - please save this and send it to Ocean Security.
3

Test the Policy (Optional but Recommended)

To confirm that the restriction is in place, run:
PowerShell
Test-ApplicationAccessPolicy -Identity user1@yourdomain.com `
-AppId "xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx"
This will verify if user1’s mailbox is restricted under the policy. If the process fails, reach out to Ocean’s team.

Removing the Limited Mailbox Scope

If you no longer need to restrict Ocean Security’s access to a subset of mailboxes, follow the steps below to remove the application access policy.
1

Locate the Existing Policy Identity

Run the following command to find the application access policy associated with Ocean Security (the App ID has already been replaced with Ocean’s App ID):
PowerShell
Get-ApplicationAccessPolicy | Format-Table -Auto Description,ScopeName,AccessRight,AppId,Identity | grep xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx
You will get back a line similar to:
Restrict this app to members of distribution group ExampleGroup.  example-tenant  RestrictAccess  xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx  <policy-identity>
If grep is not available (for example, on Windows PowerShell), save the full command output to a file and search inside that file for Ocean’s App ID.
The policy’s identity is the string after the last space on that line.
2

Remove the Policy

Run the following command, replacing the placeholder with the identity you saved in the previous step:
PowerShell
Remove-ApplicationAccessPolicy -Identity "POLICY_IDENTITY"
A successful command returns no output. If the command fails, reach out to Ocean’s team.
3

Clean Up the Security Group (Optional)

If a mail-enabled security group was created solely for limiting Ocean’s scope, you can remove it from the Microsoft Entra admin center to keep your directory tidy.